plugins/SpecialAdmin.php
changeset 179 e858bacb5cfa
parent 173 91127e62f38f
child 181 9237767a23ae
equal deleted inserted replaced
178:fd0e9c7a7b28 179:e858bacb5cfa
  2977           if( !isset($_GET['side']) || ( isset($_GET['side']) && !preg_match('#^([0-9]+)$#', $_GET['side']) ) )
  2977           if( !isset($_GET['side']) || ( isset($_GET['side']) && !preg_match('#^([0-9]+)$#', $_GET['side']) ) )
  2978           {
  2978           {
  2979             echo '<div class="warning-box" style="margin: 10px 0;">$_GET[\'side\'] contained an SQL injection attempt</div>';
  2979             echo '<div class="warning-box" style="margin: 10px 0;">$_GET[\'side\'] contained an SQL injection attempt</div>';
  2980             break;
  2980             break;
  2981           }
  2981           }
  2982           $query = $db->sql_query('UPDATE '.table_prefix.'sidebar SET sidebar_id=' . $db->escape($_GET['side']) . ' WHERE item_id=' . $db->escape($_GET['id']) . ';');
  2982           $query = $db->sql_query('UPDATE '.table_prefix.'sidebar SET sidebar_id=' . $db->escape($_GET['side']) . ' WHERE item_id=' . intval($_GET['id']) . ';');
  2983           if(!$query)
  2983           if(!$query)
  2984           {
  2984           {
  2985             echo $db->get_error();
  2985             echo $db->get_error();
  2986             $template->footer();
  2986             $template->footer();
  2987             exit;
  2987             exit;
  2988           }
  2988           }
  2989           echo '<div class="info-box" style="margin: 10px 0;">Item moved.</div>';
  2989           echo '<div class="info-box" style="margin: 10px 0;">Item moved.</div>';
  2990           break;
  2990           break;
  2991         case 'delete':
  2991         case 'delete':
  2992           $query = $db->sql_query('DELETE FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';'); // Already checked for injection attempts ;-)
  2992           $query = $db->sql_query('DELETE FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';'); // Already checked for injection attempts ;-)
  2993           if(!$query)
  2993           if(!$query)
  2994           {
  2994           {
  2995             echo $db->get_error();
  2995             echo $db->get_error();
  2996             $template->footer();
  2996             $template->footer();
  2997             exit;
  2997             exit;
  3002             die('GOOD');
  3002             die('GOOD');
  3003           }
  3003           }
  3004           echo '<div class="error-box" style="margin: 10px 0;">Item deleted.</div>';
  3004           echo '<div class="error-box" style="margin: 10px 0;">Item deleted.</div>';
  3005           break;
  3005           break;
  3006         case 'disenable';
  3006         case 'disenable';
  3007           $q = $db->sql_query('SELECT item_enabled FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
  3007           $q = $db->sql_query('SELECT item_enabled FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
  3008           if(!$q)
  3008           if(!$q)
  3009           {
  3009           {
  3010             echo $db->get_error();
  3010             echo $db->get_error();
  3011             $template->footer();
  3011             $template->footer();
  3012             exit;
  3012             exit;
  3013           }
  3013           }
  3014           $r = $db->fetchrow();
  3014           $r = $db->fetchrow();
  3015           $db->free_result();
  3015           $db->free_result();
  3016           $e = ( $r['item_enabled'] == 1 ) ? '0' : '1';
  3016           $e = ( $r['item_enabled'] == 1 ) ? '0' : '1';
  3017           $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET item_enabled='.$e.' WHERE item_id=' . $db->escape($_GET['id']) . ';');
  3017           $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET item_enabled='.$e.' WHERE item_id=' . intval($_GET['id']) . ';');
  3018           if(!$q)
  3018           if(!$q)
  3019           {
  3019           {
  3020             echo $db->get_error();
  3020             echo $db->get_error();
  3021             $template->footer();
  3021             $template->footer();
  3022             exit;
  3022             exit;
  3025           {
  3025           {
  3026             ob_end_clean();
  3026             ob_end_clean();
  3027             die('GOOD');
  3027             die('GOOD');
  3028           }
  3028           }
  3029           break;
  3029           break;
       
  3030         case 'rename';
       
  3031           $newname = $db->escape($_POST['newname']);
       
  3032           $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_name=\''.$newname.'\' WHERE item_id=' . intval($_GET['id']) . ';');
       
  3033           if(!$q)
       
  3034           {
       
  3035             echo $db->get_error();
       
  3036             $template->footer();
       
  3037             exit;
       
  3038           }
       
  3039           if(isset($_GET['ajax']))
       
  3040           {
       
  3041             ob_end_clean();
       
  3042             die('GOOD');
       
  3043           }
       
  3044           break;
  3030         case 'getsource':
  3045         case 'getsource':
  3031           $q = $db->sql_query('SELECT block_content,block_type FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
  3046           $q = $db->sql_query('SELECT block_content,block_type FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
  3032           if(!$q)
  3047           if(!$q)
  3033           {
  3048           {
  3034             echo $db->get_error();
  3049             echo $db->get_error();
  3035             $template->footer();
  3050             $template->footer();
  3036             exit;
  3051             exit;
  3042           die($r['block_content']);
  3057           die($r['block_content']);
  3043           break;
  3058           break;
  3044         case 'save':
  3059         case 'save':
  3045           if ( defined('ENANO_DEMO_MODE') )
  3060           if ( defined('ENANO_DEMO_MODE') )
  3046           {
  3061           {
  3047             $q = $db->sql_query('SELECT block_type FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
  3062             $q = $db->sql_query('SELECT block_type FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
  3048             if(!$q)
  3063             if(!$q)
  3049             {
  3064             {
  3050               echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
  3065               echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
  3051               exit;
  3066               exit;
  3052             }
  3067             }
  3058             else
  3073             else
  3059             {
  3074             {
  3060               $_POST['content'] = sanitize_html($_POST['content'], true);
  3075               $_POST['content'] = sanitize_html($_POST['content'], true);
  3061             }
  3076             }
  3062           }
  3077           }
  3063           $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_content=\''.$db->escape(rawurldecode($_POST['content'])).'\' WHERE item_id=' . $db->escape($_GET['id']) . ';');
  3078           $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_content=\''.$db->escape(rawurldecode($_POST['content'])).'\' WHERE item_id=' . intval($_GET['id']) . ';');
  3064           if(!$q)
  3079           if(!$q)
  3065           {
  3080           {
  3066             echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
  3081             echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
  3067             exit;
  3082             exit;
  3068           }
  3083           }
  3069           $q = $db->sql_query('SELECT block_type,block_content FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
  3084           $q = $db->sql_query('SELECT block_type,block_content FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
  3070           if(!$q)
  3085           if(!$q)
  3071           {
  3086           {
  3072             echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
  3087             echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
  3073             exit;
  3088             exit;
  3074           }
  3089           }
  3177         case BLOCK_PLUGIN:
  3192         case BLOCK_PLUGIN:
  3178           $parser = $template->makeParserText($vars['sidebar_section_raw']);
  3193           $parser = $template->makeParserText($vars['sidebar_section_raw']);
  3179           $c = ($template->fetch_block($row['block_content'])) ? $template->fetch_block($row['block_content']) : 'Can\'t find plugin block';
  3194           $c = ($template->fetch_block($row['block_content'])) ? $template->fetch_block($row['block_content']) : 'Can\'t find plugin block';
  3180           break;
  3195           break;
  3181       }
  3196       }
  3182       $t = $template->tplWikiFormat($row['block_name']);
  3197       $t = '<span title="Double-click to rename this block" id="sbrename_' . $row['item_id'] . '" ondblclick="ajaxRenameSidebarStage1(this, \''.$row['item_id'].'\'); return false;">' . $template->tplWikiFormat($row['block_name']) . '</span>';
  3183       if($row['item_enabled'] == 0) $t .= ' <span id="disabled_'.$row['item_id'].'" style="color: red;">(disabled)</span>';
  3198       if($row['item_enabled'] == 0) $t .= ' <span id="disabled_'.$row['item_id'].'" style="color: red;">(disabled)</span>';
  3184       else           $t .= ' <span id="disabled_'.$row['item_id'].'" style="color: red; display: none;">(disabled)</span>';
  3199       else           $t .= ' <span id="disabled_'.$row['item_id'].'" style="color: red; display: none;">(disabled)</span>';
  3185       $side = ( $row['sidebar_id'] == SIDEBAR_LEFT ) ? SIDEBAR_RIGHT : SIDEBAR_LEFT;
  3200       $side = ( $row['sidebar_id'] == SIDEBAR_LEFT ) ? SIDEBAR_RIGHT : SIDEBAR_LEFT;
  3186       $tb = '<a title="Enable or disable this block"    href="'.makeUrl($paths->page, 'action=disenable&id='.$row['item_id'].''       , true).'" onclick="ajaxDisenableBlock(\''.$row['item_id'].'\'); return false;"   ><img alt="Enable/disable this block" style="border-width: 0;" src="'.scriptPath.'/images/disenable.png" /></a>
  3201       $tb = '<a title="Enable or disable this block"    href="'.makeUrl($paths->page, 'action=disenable&id='.$row['item_id'].''       , true).'" onclick="ajaxDisenableBlock(\''.$row['item_id'].'\'); return false;"   ><img alt="Enable/disable this block" style="border-width: 0;" src="'.scriptPath.'/images/disenable.png" /></a>
  3187              <a title="Edit the contents of this block" href="'.makeUrl($paths->page, 'action=edit&id='.$row['item_id'].''            , true).'" onclick="ajaxEditBlock(\''.$row['item_id'].'\', this); return false;"><img alt="Edit this block" style="border-width: 0;" src="'.scriptPath.'/images/edit.png" /></a>
  3202              <a title="Edit the contents of this block" href="'.makeUrl($paths->page, 'action=edit&id='.$row['item_id'].''            , true).'" onclick="ajaxEditBlock(\''.$row['item_id'].'\', this); return false;"><img alt="Edit this block" style="border-width: 0;" src="'.scriptPath.'/images/edit.png" /></a>