Changeset 773534
- Timestamp:
- 09/16/2013 06:40:08 PM (13 years ago)
- Location:
- sermon-browser/trunk
- Files:
-
- 5 edited
-
sb-includes/admin.php (modified) (11 diffs)
-
sb-includes/frontend.php (modified) (1 diff)
-
sb-includes/podcast.php (modified) (2 diffs)
-
sb-includes/sb-install.php (modified) (1 diff)
-
sermon.php (modified) (13 diffs)
Legend:
- Unmodified
- Added
- Removed
-
sermon-browser/trunk/sb-includes/admin.php
r753109 r773534 127 127 if (sb_mkdir(SB_ABSPATH.$dir)) 128 128 @chmod(SB_ABSPATH.$dir, 0777); 129 if(!is_dir(SB_ABSPATH.$dir.'images') && sb_mkdir(SB_ABSPATH.$ sermonUploadDir.'images'))129 if(!is_dir(SB_ABSPATH.$dir.'images') && sb_mkdir(SB_ABSPATH.$dir.'images')) 130 130 @chmod(SB_ABSPATH.$dir.'images', 0777); 131 131 $checkSermonUpload = sb_checkSermonUploadable(); … … 435 435 //Save changes 436 436 if (isset($_POST['save'])) { 437 $name = $wpdb->escape($_POST['name']);438 $description = $wpdb->escape($_POST['description']);437 $name = esc_sql($_POST['name']); 438 $description = esc_sql($_POST['description']); 439 439 $error = false; 440 440 $pid = (int) $_REQUEST['pid']; … … 812 812 fclose($remote_file); 813 813 fclose($file); 814 $wpdb->query("INSERT INTO {$wpdb->prefix}sb_stuff VALUES (null, 'file', '". $wpdb->escape($filename)."', 0, 0, 0)");814 $wpdb->query("INSERT INTO {$wpdb->prefix}sb_stuff VALUES (null, 'file', '".esc_sql($filename)."', 0, 0, 0)"); 815 815 echo "<script>document.location = '".admin_url('admin.php?page=sermon-browser/new_sermon.php&getid3='.$wpdb->insert_id)."';</script>"; 816 816 } 817 817 } else { 818 $wpdb->query("INSERT INTO {$wpdb->prefix}sb_stuff VALUES (null, 'url', '". $wpdb->escape($url)."', 0, 0, 0)");818 $wpdb->query("INSERT INTO {$wpdb->prefix}sb_stuff VALUES (null, 'url', '".esc_sql($url)."', 0, 0, 0)"); 819 819 echo "<script>document.location = '".admin_url('admin.php?page=sermon-browser/new_sermon.php&getid3='.$wpdb->insert_id)."';</script>"; 820 820 die(); … … 1326 1326 if (isset($_POST['save']) && isset($_POST['title'])) { 1327 1327 // prepare 1328 $title = $wpdb->escape($_POST['title']);1328 $title = esc_sql($_POST['title']); 1329 1329 $preacher_id = (int) $_POST['preacher']; 1330 1330 $service_id = (int) $_POST['service']; 1331 1331 $series_id = (int) $_POST['series']; 1332 $time = isset($_POST['time']) ? $wpdb->escape($_POST['time']) : '';1332 $time = isset($_POST['time']) ? esc_sql($_POST['time']) : ''; 1333 1333 $startz = $endz = array(); 1334 1334 for ($foo = 0; $foo < count($_POST['start']['book']); $foo++) { … … 1346 1346 } 1347 1347 } 1348 $start = $wpdb->escape(serialize($startz));1349 $end = $wpdb->escape(serialize($endz));1348 $start = esc_sql(serialize($startz)); 1349 $end = esc_sql(serialize($endz)); 1350 1350 $date = strtotime($_POST['date']); 1351 1351 $override = (isset($_POST['override']) && $_POST['override'] == 'on') ? 1 : 0; … … 1366 1366 } 1367 1367 // edit or not edit 1368 if ( !$_GET['mid']) { // new1368 if ( !isset($_GET['mid']) or !$_GET['mid'] ) { // new 1369 1369 //Security check 1370 1370 if (!current_user_can('publish_pages')) … … 1413 1413 $prefix = ''; 1414 1414 $dest = SB_ABSPATH.sb_get_option('upload_dir').$prefix.$filename; 1415 if ($wpdb->get_var("SELECT COUNT(*) FROM {$wpdb->prefix}sb_stuff WHERE name = '". $wpdb->escape($filename)."'") == 0 && move_uploaded_file($_FILES['upload']['tmp_name'][$uid], $dest)) {1415 if ($wpdb->get_var("SELECT COUNT(*) FROM {$wpdb->prefix}sb_stuff WHERE name = '".esc_sql($filename)."'") == 0 && move_uploaded_file($_FILES['upload']['tmp_name'][$uid], $dest)) { 1416 1416 $filename = $prefix.mysql_real_escape_string($filename); 1417 $wpdb->query("INSERT INTO {$wpdb->prefix}sb_stuff VALUES (null, 'file', '". $wpdb->escape($filename)."', $id, 0, 0)");1417 $wpdb->query("INSERT INTO {$wpdb->prefix}sb_stuff VALUES (null, 'file', '".esc_sql($filename)."', $id, 0, 0)"); 1418 1418 } else { 1419 1419 echo '<div id="message" class="updated fade"><p><b>'.$filename.__(' already exists.', $sermon_domain).'</b></div>'; … … 1464 1464 $id3_tags = array(); 1465 1465 if (isset($_GET['getid3'])) { 1466 $file_data = $wpdb->get_row("SELECT name, type FROM {$wpdb->prefix}sb_stuff WHERE id = ". $wpdb->escape($_GET['getid3']));1466 $file_data = $wpdb->get_row("SELECT name, type FROM {$wpdb->prefix}sb_stuff WHERE id = ".esc_sql($_GET['getid3'])); 1467 1467 if ($file_data !== NULL) { 1468 1468 if ( ! class_exists( 'getID3' ) ) { … … 1532 1532 $filename = substr($filename, 0, strrpos($filename, '.')); 1533 1533 $filename = str_replace ('--', '-', str_replace ('/', '-', $filename)); 1534 $filename = trim( ereg_replace('[^0-9-]', '', $filename), '-');1535 $date = explode('-', $filename , 3);1534 $filename = trim(preg_replace('/[^0-9-]/', '', $filename), '-'); 1535 $date = explode('-', $filename); 1536 1536 $id3_tags['date'] = ''; 1537 1537 if (count($date) >= 3) { … … 2349 2349 $player = ''; 2350 2350 } else { 2351 $limit = attribute_escape($options[$number]['limit']);2352 $preacher = attribute_escape($options[$number]['preacher']);2353 $service = attribute_escape($options[$number]['service']);2354 $series = attribute_escape($options[$number]['series']);2351 $limit = esc_attr($options[$number]['limit']); 2352 $preacher = esc_attr($options[$number]['preacher']); 2353 $service = esc_attr($options[$number]['service']); 2354 $series = esc_attr($options[$number]['series']); 2355 2355 $preacherz = (int) $options[$number]['preacherz']; 2356 2356 $book = (int) $options[$number]['book']; 2357 $title = attribute_escape($options[$number]['title']);2357 $title = esc_attr($options[$number]['title']); 2358 2358 $date = (int) $options[$number]['date']; 2359 $player = attribute_escape($options[$number]['player']);2359 $player = esc_attr($options[$number]['player']); 2360 2360 } 2361 2361 … … 2431 2431 } 2432 2432 2433 $title = attribute_escape($options['title']);2434 $limit = attribute_escape($options['limit']);2435 $display_sermons = (boolean) attribute_escape($options['display_sermons']);2436 $display_series = (boolean) attribute_escape($options['display_series']);2437 $display_preachers = (boolean) attribute_escape($options['display_preachers']);2433 $title = esc_attr($options['title']); 2434 $limit = esc_attr($options['limit']); 2435 $display_sermons = (boolean) esc_attr($options['display_sermons']); 2436 $display_series = (boolean) esc_attr($options['display_series']); 2437 $display_preachers = (boolean) esc_attr($options['display_preachers']); 2438 2438 2439 2439 ?> -
sermon-browser/trunk/sb-includes/frontend.php
r748934 r773534 708 708 echo '<div class="sermon_file">'; 709 709 sb_print_url ($url); 710 if (s ubstr($url, -4) == ".mp3") {710 if (strtolower(substr($url, -4)) == ".mp3") { 711 711 if ((substr($url,0,7) == "http://") or (substr($url,0,8) == 'https://')) { 712 712 $param="url"; } -
sermon-browser/trunk/sb-includes/podcast.php
r753109 r773534 25 25 global $wpdb; 26 26 if (strtolower(substr($media_name, -3)) == 'mp3' && $media_type == 'Files') { 27 $duration = $wpdb->get_var("SELECT duration FROM {$wpdb->prefix}sb_stuff WHERE type = 'file' AND name = '". $wpdb->escape($media_name)."'");27 $duration = $wpdb->get_var("SELECT duration FROM {$wpdb->prefix}sb_stuff WHERE type = 'file' AND name = '".esc_sql($media_name)."'"); 28 28 if ($duration) 29 29 return $duration; … … 38 38 $MediaFileInfo = $getID3->analyze(SB_ABSPATH.sb_get_option('upload_dir').$media_name); 39 39 $duration = isset($MediaFileInfo['playtime_string']) ? $MediaFileInfo['playtime_string'] : ''; 40 $wpdb->query("UPDATE {$wpdb->prefix}sb_stuff SET duration = '". $wpdb->escape($duration)."' WHERE type = 'file' AND name = '".$wpdb->escape($media_name)."'");40 $wpdb->query("UPDATE {$wpdb->prefix}sb_stuff SET duration = '".esc_sql($duration)."' WHERE type = 'file' AND name = '".esc_sql($media_name)."'"); 41 41 return $duration; 42 42 } -
sermon-browser/trunk/sb-includes/sb-install.php
r748934 r773534 418 418 419 419 div.net p.poetry { 420 font-style: italic s;420 font-style: italic; 421 421 margin: 0 422 422 } -
sermon-browser/trunk/sermon.php
r753109 r773534 5 5 Description: Upload sermons to your website, where they can be searched, listened to, and downloaded. Easy to use with comprehensive help and tutorials. 6 6 Author: Mark Barnes 7 Version: 0.45.1 17 Version: 0.45.12 8 8 Author URI: http://www.4-14.org.uk/ 9 9 … … 54 54 * @package common_functions 55 55 */ 56 define('SB_CURRENT_VERSION', '0.45.1 1');56 define('SB_CURRENT_VERSION', '0.45.12'); 57 57 define('SB_DATABASE_VERSION', '1.7'); 58 58 sb_define_constants(); … … 73 73 74 74 global $filetypes, $wpdb, $sermon_domain; 75 76 if ( function_exists('wp_timezone_supported') && wp_timezone_supported())75 76 if ( version_compare(get_bloginfo('version'), '3.2', '>=') || (function_exists('wp_timezone_supported') && wp_timezone_supported()) ) 77 77 wp_timezone_override_offset(); 78 78 … … 84 84 //Forces sermon download of local file 85 85 if (isset($_GET['download']) AND isset($_GET['file_name'])) { 86 $file_name = $wpdb->escape(rawurldecode($_GET['file_name']));86 $file_name = esc_sql(rawurldecode($_GET['file_name'])); 87 87 $file_name = $wpdb->get_var("SELECT name FROM {$wpdb->prefix}sb_stuff WHERE name='{$file_name}'"); 88 88 if (!is_null($file_name)) { … … 93 93 header("Content-Type: application/octet-stream"); 94 94 header("Content-Type: application/download"); 95 header('Content-Disposition: attachment; filename="'.$file_name.'" ;');95 header('Content-Disposition: attachment; filename="'.$file_name.'"'); 96 96 header("Content-Transfer-Encoding: binary"); 97 97 sb_increase_download_count ($file_name); … … 140 140 header ('Content-Disposition: '.$headers['content-disposition']); 141 141 else 142 header('Content-Disposition: attachment; filename="'.basename($url).'" ;');142 header('Content-Disposition: attachment; filename="'.basename($url).'"'); 143 143 header("Content-Transfer-Encoding: binary"); 144 144 header($_SERVER['SERVER_PROTOCOL'].' 200 OK'); … … 158 158 if (isset($_GET['show']) AND isset($_GET['file_name'])) { 159 159 global $filetypes; 160 $file_name = $wpdb->escape(rawurldecode($_GET['file_name']));160 $file_name = esc_sql(rawurldecode($_GET['file_name'])); 161 161 $file_name = $wpdb->get_var("SELECT name FROM {$wpdb->prefix}sb_stuff WHERE name='{$file_name}'"); 162 162 if (!is_null($file_name)) { … … 516 516 } else { 517 517 if (isset($_REQUEST['sortby'])) 518 $sort_criteria = $wpdb->escape($_REQUEST['sortby']);518 $sort_criteria = esc_sql($_REQUEST['sortby']); 519 519 else 520 520 $sort_criteria = 'm.datetime'; 521 521 if (!empty($atts['dir'])) 522 $dir = $wpdb->escape($atts['dir']);522 $dir = esc_sql($atts['dir']); 523 523 elseif ($sort_criteria == 'm.datetime') 524 524 $dir = 'desc'; … … 775 775 $filter = array_merge($default_filter, (array)$filter); 776 776 $order = array_merge($default_order, (array)$order); 777 if ( strtolower($order['dir']) != 'desc' and strtolower($order['dir']) != 'asc' ) 778 $order['dir'] = $default_order['dir']; 779 $valid_sortby_values = array( 'm.id', 'm.title', 'm.datetime', 'm.start', 'm.end', 'p.id', 'p.name', 's.id', 's.name', 'ss.id', 'ss.name'); 780 if ( !in_array($order['by'], $valid_sortby_values) ) 781 $order['by'] = $default_order['by']; 777 782 $page = (int) $page; 778 783 $cond = '1=1 '; 779 784 if ($filter['title'] != '') { 780 $cond .= "AND (m.title LIKE '%" . $wpdb->escape($filter['title']) . "%' OR m.description LIKE '%" . $wpdb->escape($filter['title']). "%' OR t.name LIKE '%" . $wpdb->escape($filter['title']) . "%') ";785 $cond .= "AND (m.title LIKE '%" . esc_sql($filter['title']) . "%' OR m.description LIKE '%" . esc_sql($filter['title']). "%' OR t.name LIKE '%" . esc_sql($filter['title']) . "%') "; 781 786 } 782 787 if ($filter['preacher'] != 0) { … … 784 789 } 785 790 if ($filter['date'] != '') { 786 $cond .= 'AND m.datetime >= "' . $wpdb->escape($filter['date']) . '" ';791 $cond .= 'AND m.datetime >= "' . esc_sql($filter['date']) . '" '; 787 792 } 788 793 if ($filter['enddate'] != '') { 789 $cond .= 'AND m.datetime <= "' . $wpdb->escape($filter['enddate']) . '" ';794 $cond .= 'AND m.datetime <= "' . esc_sql($filter['enddate']) . '" '; 790 795 } 791 796 if ($filter['series'] != 0) { … … 796 801 } 797 802 if ($filter['book'] != '') { 798 $cond .= 'AND bs.book_name = "' . $wpdb->escape($filter['book']) . '" ';803 $cond .= 'AND bs.book_name = "' . esc_sql($filter['book']) . '" '; 799 804 } else { 800 805 $bs = "AND bs.order = 0 AND bs.type= 'start' "; 801 806 } 802 807 if ($filter['tag'] != '') { 803 $cond .= "AND t.name LIKE '%" . $wpdb->escape($filter['tag']) . "%' ";808 $cond .= "AND t.name LIKE '%" . esc_sql($filter['tag']) . "%' "; 804 809 } 805 810 if ($filter['id'] != '') { 806 $cond .= "AND m.id LIKE '" . $wpdb->escape($filter['id']) . "' ";811 $cond .= "AND m.id LIKE '" . esc_sql($filter['id']) . "' "; 807 812 } 808 813 if ($hide_empty) { … … 811 816 $offset = $limit * ($page - 1); 812 817 if ($order['by'] == 'b.id' ) { 813 $order['by'] = 'b.id '. $wpdb->escape($order['dir']).', bs.chapter '.$wpdb->escape($order['dir']).', bs.verse';818 $order['by'] = 'b.id '.esc_sql($order['dir']).', bs.chapter '.esc_sql($order['dir']).', bs.verse'; 814 819 } 815 820 return "SELECT SQL_CALC_FOUND_ROWS DISTINCT m.id, m.title, m.description, m.datetime, m.time, m.start, m.end, p.id as pid, p.name as preacher, p.description as preacher_description, p.image, s.id as sid, s.name as service, ss.id as ssid, ss.name as series … … 876 881 if (function_exists('current_user_can')&&!(current_user_can('edit_posts')|current_user_can('publish_posts'))) { 877 882 global $wpdb; 878 $wpdb->query("UPDATE ".$wpdb->prefix."sb_stuff SET COUNT=COUNT+1 WHERE name='". $wpdb->escape($stuff_name)."'");883 $wpdb->query("UPDATE ".$wpdb->prefix."sb_stuff SET COUNT=COUNT+1 WHERE name='".esc_sql($stuff_name)."'"); 879 884 } 880 885 }
Note: See TracChangeset
for help on using the changeset viewer.