Changeset 766128

Timestamp:

09/03/2013 07:09:07 AM (12 years ago)

Author:

laki_patel

Message:

Fix security issues

Location:

indianic-testimonial/trunk

Files:

• listing_data_table.php (added)
• paginate.class.php (deleted)
• testimonial.php (modified) (7 diffs)
• view.php (modified) (1 diff)

indianic-testimonial/trunk/testimonial.php

@@ -31 +31 @@
     add_action('wp_ajax_iNIC_testimonial_save', array($this, 'iNIC_testimonial_save'));
     add_action('wp_ajax_iNIC_testimonial_save_setting', array($this, 'iNIC_testimonial_save_setting'));
-    add_action('wp_ajax_iNIC_testimonial_delete', array($this, 'iNIC_testimonial_delete'));
     add_action('wp_ajax_iNIC_testimonial_save_widget', array($this, 'iNIC_testimonial_save_widget'));
     add_action('wp_ajax_iNIC_testimonial_delete_widget', array($this, 'iNIC_testimonial_delete_widget'));
@@ -42 +41 @@
       add_action('admin_head', array($this, 'include_js'));
     }
-
-    require_once 'paginate.class.php';
   }
 
@@ -127 +124 @@
       }
 
-      $_no_of_testimonial = $_template_data['no_of_testimonial'] ? $_template_data['no_of_testimonial'] : false;
-      if ($_no_of_testimonial) {
-        $_testimonial_result = $this->wpdb->get_results("SELECT * FROM {$this->wpdb->prefix}inic_testimonial WHERE (id NOT IN(" . implode(",", $_current_featured_testimonial_id) . ")){$filter_by} ORDER BY {$_template_data['ord_by']} LIMIT {$_no_of_testimonial}");
-      } else {
+      $_no_of_testimonial = $_template_data['no_of_testimonial'] ? " LIMIT {$_template_data['no_of_testimonial']}" : false;
+      $_testimonial_result = $this->wpdb->get_results("SELECT * FROM {$this->wpdb->prefix}inic_testimonial WHERE (id NOT IN(" . implode(",", $_current_featured_testimonial_id) . ")){$filter_by} ORDER BY {$_template_data['ord_by']}{$_no_of_testimonial}");
+      if (!$_no_of_testimonial || $_template_data['list_per_page']) {
+
+        $_record_per_page = $_template_data['list_per_page'] ? $_template_data['list_per_page'] : 20;
+        $_array_chunk = array_chunk($_testimonial_result, $_record_per_page);
+        $_total_pages = count($_array_chunk);
         $_current_page = (isset($_GET[$this->blog_page_pagination_key]) && $_GET[$this->blog_page_pagination_key] > 0) ? $_GET[$this->blog_page_pagination_key] : 1;
-        $testimonials = new iNICpagination($_current_page, "SELECT * FROM {$this->wpdb->prefix}inic_testimonial WHERE (id NOT IN(" . implode(",", $_current_featured_testimonial_id) . ")){$filter_by} ORDER BY {$_template_data['ord_by']}");
-        $testimonials->link_prefix = "{$_SERVER['REDIRECT_URL']}?{$this->blog_page_pagination_key}=";
-        $testimonials->results_per_page = $_template_data['list_per_page'] ? $_template_data['list_per_page'] : 1000;
-        $_pagination = $testimonials->paginate();
-
-        $_testimonial_result = array();
-
-        if ($testimonials->total_results) {
-          while ($_row = mysql_fetch_object($testimonials->resource())) {
-            $_testimonial_result[] = $_row;
-          }
-        }
-      }
+        $_current_page = $_total_pages < $_current_page ? $_total_pages : $_current_page;
+
+        $_testimonial_result = isset($_array_chunk[$_current_page - 1]) && $_array_chunk[$_current_page - 1] ? $_array_chunk[$_current_page - 1] : $_array_chunk[0];
+        $_pagination = "";
+        
+        if ($_total_pages > 1) {
+          $_pagination .= "<div class='testimonial_pagination'>";
+          
+          if($_current_page > 1) {
+            $_pagination .= "<a href=\"?".build_query(array_merge($_REQUEST, array($this->blog_page_pagination_key => 1)))."\" title=\"Go to the first page\" class=\"first-page\">&laquo;</a> ";
+            $_pagination .= "<a href=\"?".build_query(array_merge($_REQUEST, array($this->blog_page_pagination_key => ($_current_page - 1))))."\" title=\"Go to the previous page\" class=\"prev-page\">&lsaquo;</a> ";
+          }
+          
+          for ($i = 1; $i <= $_total_pages; ++$i) {
+            $_url_prefix = build_query(array_merge($_REQUEST, array($this->blog_page_pagination_key => $i)));
+            $_is_active = $_current_page == $i ? ' class="current-page"' : '';
+            $_pagination .= "<a href=\"?{$_url_prefix}\"{$_is_active}>{$i}</a> ";
+          }
+          
+          if($_current_page < $_total_pages) {
+            $_pagination .= "<a href=\"?".build_query(array_merge($_REQUEST, array($this->blog_page_pagination_key => ($_current_page + 1))))."\" title=\"Go to the next page\" class=\"next-page\">&rsaquo;</a> ";
+            $_pagination .= "<a href=\"?".build_query(array_merge($_REQUEST, array($this->blog_page_pagination_key => $_total_pages)))."\" title=\"Go to the last page\" class=\"last-page\">&raquo;</a> ";
+          }
+          
+          $_pagination .= "</div>";
+        }
+
+      }
+
       if ($_testimonial_result) {
         $i = 0;
@@ -207 +223 @@
       $data['error'] = mysql_error();
     } else {
-      if($this->wpdb->insert_id) {
+      if ($this->wpdb->insert_id) {
         $data['form_reset'] = true;
       }
@@ -325 +341 @@
   }
 
-  public function iNIC_testimonial_delete() {
-    if (isset($_POST['id']) && $_POST['id']) {
-      $this->wpdb->query("DELETE FROM {$this->wpdb->prefix}inic_testimonial WHERE id='{$_POST['id']}'");
-      if (mysql_error()) {
-        $data['error'] = mysql_error();
-      } else {
-        $data['success'] = "The testimonial has been delete successfully.";
-      }
-      echo json_encode($data);
-    }
-    die();
-  }
-
   public function testimonial_register_menu() {
     add_menu_page('Testimonial', 'Testimonial', 'administrator', "inic_testimonial_view", array($this, 'testimonial_view'), $this->pluginUrl . "icon.png");
@@ -345 +348 @@
     add_submenu_page("inic_testimonial_view", "Widget Template", "Widget Template", 'administrator', "inic_testimonial_widget_template", array($this, 'inic_testimonial_widget_template'));
     add_submenu_page("inic_testimonial_view", "Settings", "Settings", 'administrator', "inic_testimonial_settings", array($this, 'testimonial_settings'));
+    
+    require_once "{$this->pluginPath}/listing_data_table.php";
+    $this->tbl = new listing_data_table();
   }
 
@@ -524 +530 @@
 require_once 'widget.php';
 add_action('widgets_init', create_function('', 'register_widget( "iNIC_TestimonialWidget" );'));
+
+
+if (!function_exists('array_chunk')) {
+
+  function array_chunk($input, $size, $preserve_keys = false) {
+    @reset($input);
+
+    $i = $j = 0;
+
+    while (@list( $key, $value ) = @each($input)) {
+      if (!( isset($chunks[$i]) )) {
+        $chunks[$i] = array();
+      }
+
+      if (count($chunks[$i]) < $size) {
+        if ($preserve_keys) {
+          $chunks[$i][$key] = $value;
+          $j++;
+        } else {
+          $chunks[$i][] = $value;
+        }
+      } else {
+        $i++;
+
+        if ($preserve_keys) {
+          $chunks[$i][$key] = $value;
+          $j++;
+        } else {
+          $j = 0;
+          $chunks[$i][$j] = $value;
+        }
+      }
+    }
+
+    return $chunks;
+  }
+
+} 

indianic-testimonial/trunk/view.php

@@ -1 +1 @@
 <?php
-$_current_page = (isset($_GET['p']) && $_GET['p'] > 0) ? $_GET['p'] : 1;
 
-if(isset($_GET['s']) && $_GET['s']) {
-  $_s = trim($_GET['s']);
-  $_where = " WHERE (project_name LIKE '%{$_s}%' || client_name LIKE '%{$_s}%' || city LIKE '%{$_s}%' || state LIKE '%{$_s}%' || country LIKE '%{$_s}%')";
-} else {
-  $_s = $_where = "";
+if (isset($_GET['id']) && $_GET['id'] && isset($_GET['action']) && $_GET['action'] == 'delete') {
+  $this->wpdb->query("DELETE FROM {$this->wpdb->prefix}inic_testimonial WHERE id={$_GET['id']}");
+  if ($this->wpdb->rows_affected) {
+    $_data['updated'] = "The testimonial has been deleted successfully.";
+  }
 }
-$_ord_by = get_option("inic_testimonial_list_ord_by") ? " ORDER BY ".get_option("inic_testimonial_list_ord_by") : "";
-$testimonials = new iNICpagination($_current_page, "SELECT * FROM {$this->wpdb->prefix}inic_testimonial{$_where}{$_ord_by}");
-$testimonials->link_prefix = "admin.php?page=inic_testimonial_view&p=";
-$testimonials->results_per_page = get_option("inic_testimonial_admin_list_per_page");
-$_pagination = $testimonials->paginate();
+    
+$_ord_by = get_option("inic_testimonial_list_ord_by") ? " ORDER BY " . get_option("inic_testimonial_list_ord_by") : "";
+$_result_per_page = get_option("inic_testimonial_admin_list_per_page");
 ?>
 
 <div class="wrap">
   <div id="icon-edit" class="icon32 icon32-posts-post"><br></div>
-  <h2>View Testimonials</h2>
+  <h2>View Testimonials test</h2>
 
-  <div id="message" class="updated below-h2" style="display:none;"><p></p></div>
+  <?php
+  if(isset($_data) && is_array($_data)) {
+    foreach($_data as $_message_type => $_message) {
+      echo '<div id="message" class="'.$_message_type.' below-h2"><p>'.$_message.'</p></div>';
+    }
+  }
+  ?>
 
-  <div class="tablenav top">
-    <form class="alignleft actions" method="GET" action="">
-      <input type="hidden" name="page" value="inic_testimonial_view">
-      <input type="text" id="post-search-input" name="s" value="<?php echo $_s; ?>">
-      <input type="submit" name="" id="search-submit" class="button" value="Search Testimonial">
-    </form>
+  <div class="col-wrap">
+    <div class="form-wrap">
+      <?php
+      if($_result_per_page > 0) {
+        $this->tbl->row_per_page = $_result_per_page;
+      }
+      $this->tbl->set_mysql_query("SELECT * FROM {$this->wpdb->prefix}inic_testimonial{$_ord_by}");
+      $this->tbl->set_mysql_search_query("SELECT * FROM {$this->wpdb->prefix}inic_testimonial WHERE project_name LIKE '%{#S}%' || client_name LIKE '%{#S}%' || city LIKE '%{#S}%' || state LIKE '%{#S}%' || country LIKE '%{#S}%'{$_ord_by}");
 
-    <div class="tablenav-pages"><span class="displaying-num"><?php echo $testimonials->total_results; ?> items</span>
-      <span class="pagination-links">
-        <?php echo $_pagination; ?>
+      $this->tbl->add_col('project_name', "Project Name", true);
+      $this->tbl->display_col_function(function($item, $column_name) {
+                $item['is_featured'] = $item['is_featured'] ? "<br /><code style=\"color:#C00;\"> Featured </code>" : "";
+                return "<a href=\"{$item['project_url']}\" target=\"blank\">{$item['project_name']}</a><br /><i>[ {$item['tags']} ]{$item['is_featured']}</i>";
+              });
+
+      $this->tbl->add_col('client_name', "Client Name", true);
+      $this->tbl->display_col_function(function($item, $column_name) {
+                $item['city'] = $item['city'] ? "<br /><i>[ City: {$item['city']} ]</i>" : "";
+                $item['state'] = $item['state'] ? "<br /><i>[ State: {$item['state']} ]</i>" : "";
+                $item['country'] = $item['country'] ? "<br /><i>[ Country: {$item['country']} ]</i>" : "";
+                return "{$item['client_name']}{$item['city']}{$item['state']}{$item['country']}";
+              });
+
+      $this->tbl->add_col_action('Edit', array('id' => false, 'url' => '?page=inic_testimonial_add'));
+      $this->tbl->add_col_action('Delete', array('action' => 'delete', 'id' => false));
+
+      $this->tbl->add_col('description', "Description");
+
+      $this->tbl->add_col('video_url', "Video URL");
+
+      $this->tbl->add_col('thumb_img_url', "Thumb Image");
+      $this->tbl->display_col_function(function($item, $column_name) {
+                return $item['thumb_img_url'] ? "<a href=\"{$item['large_img_url']}\" target=\"_blank\"><img src=\"{$item['thumb_img_url']}\" width=\"100\" height=\"100\" /></a>" : "";
+              });
+
+
+      $this->tbl->rander();
+      ?>
+
     </div>
-
   </div>
 
-  <table class="wp-list-table widefat fixed testimonials" cellspacing="0">
-    <thead>
-      <tr>
-        <th>Project Name</th>
-        <th>Client Name</th>
-        <th>Description</th>
-        <th>Video URL</th>
-        <th width="100">Thumb Image</th>
-      </tr>
-    </thead>
 
-    <tbody>
-      <?php
-      if ($testimonials->total_results) {
-        while ($_row = mysql_fetch_assoc($testimonials->resource())) {
-          
-          $_row['city'] = $_row['city'] ? "<br /><i>[ City: {$_row['city']} ]</i>" : "";
-          $_row['state'] = $_row['state'] ? "<br /><i>[ State: {$_row['state']} ]</i>" : "";
-          $_row['country'] = $_row['country'] ? "<br /><i>[ Country: {$_row['country']} ]</i>" : "";
-          //$_is_featured = $_row['is_featured'] ? ' class="featured"' : '';
-          
-          $_thumb_img = $_row['thumb_img_url'] ? "<a href=\"{$_row['large_img_url']}\" target=\"_blank\"><img src=\"{$_row['thumb_img_url']}\" width=\"100\" height=\"100\" /></a>" : false;
-          
-          $_row['is_featured'] = $_row['is_featured'] ? "<br /><code style=\"color:#C00;\"> Featured </code>" : "";
-          echo "<tr>
-                    <td><a href=\"{$_row['project_url']}\" target=\"blank\">{$_row['project_name']}</a><br /><i>[ {$_row['tags']} ]{$_row['is_featured']}</i></td>
-                    <td>
-                      {$_row['client_name']}{$_row['city']}{$_row['state']}{$_row['country']}
-                      <div class=\"row-actions\">
-                        <span class=\"edit\"><a href=\"admin.php?page=inic_testimonial_add&id={$_row['id']}\" title=\"Edit this item\">Edit</a> | </span>
-                        <span class=\"trash\"><a class=\"submitdelete\" title=\"Delete this item\" href=\"javascript:void(0)\" rel=\"{$_row['id']}\">Delete</a></span>
-                      </div>
-                    </td>
-                    <td>{$_row['description']}</td>
-                    <td>{$_row['video_url']}</td>
-                    <td>{$_thumb_img}</td>
-                  </tr>";
-        }
-      } else {
-        echo '<tr><td colspan="5">No Testimonial Found.</td></tr>';
-      }
-      ?>
-    </tbody>
-  </table>
 </div>
-
-<style>
-  tr:nth-child(even) td {background-color: #fff;}
-</style>
-
-<script>
-  jQuery(document).ready(function(){
-    jQuery("table.testimonials tr td span.trash a").click(function(e){
-      
-      var _this = jQuery(this);
-      
-      var r = confirm("Are you sure want to delete this item?");
-      if(r == true) {
-        
-        jQuery.post(ajaxurl, {action:"iNIC_testimonial_delete", id:jQuery(this).attr('rel')}, function(data){
-          
-          if(data.error) {
-            jQuery("#message").show().addClass("error").removeClass('updated').find('p').html(data.error);
-          } else if(data.success) {
-            jQuery("#message").removeClass('error')
-            jQuery("#message").show().addClass('updated').find('p').html(data.success);
-            _this.closest("tr").remove();
-          }
-        }, 'json')
-      }
-      e.preventDefault();
-    });
-  });
-</script>