From 3ec08a8f48226fff0b84bb3881446ce3ddd8f92d Mon Sep 17 00:00:00 2001 From: "Michael Kaufmann (d00p)" Date: Sat, 2 Nov 2013 12:07:34 +0100 Subject: [PATCH] migrate admin_message, admin_phpsettings and admin_templates to PDO, refs #1287 Signed-off-by: Michael Kaufmann (d00p) --- admin_message.php | 27 ++- admin_phpsettings.php | 208 +++++++++++-------- admin_templates.php | 465 +++++++++++++++++++++++++----------------- 3 files changed, 421 insertions(+), 279 deletions(-) diff --git a/admin_message.php b/admin_message.php index c50c7290..2cb63419 100644 --- a/admin_message.php +++ b/admin_message.php @@ -18,10 +18,6 @@ */ define('AREA', 'admin'); - -/** - * Include our init.php, which manages Sessions, Language etc. - */ require('./lib/init.php'); if (isset($_POST['id'])) { @@ -41,14 +37,18 @@ if ($page == 'message') { && $userinfo['customers_see_all'] == '1' ) { $log->logAction(ADM_ACTION, LOG_NOTICE, 'sending messages to admins'); - $result = $db->query('SELECT `name`, `email` FROM `' . TABLE_PANEL_ADMINS . "`"); + $result = Database::query('SELECT `name`, `email` FROM `' . TABLE_PANEL_ADMINS . "`"); } elseif ($_POST['receipient'] == 1) { if ($userinfo['customers_see_all'] == '1') { $log->logAction(ADM_ACTION, LOG_NOTICE, 'sending messages to ALL customers'); - $result = $db->query('SELECT `firstname`, `name`, `email` FROM `' . TABLE_PANEL_CUSTOMERS . "`"); + $result = Database::query('SELECT `firstname`, `name`, `company`, `email` FROM `' . TABLE_PANEL_CUSTOMERS . "`"); } else { $log->logAction(ADM_ACTION, LOG_NOTICE, 'sending messages to customers'); - $result = $db->query('SELECT `firstname`, `name`, `email` FROM `' . TABLE_PANEL_CUSTOMERS . "` WHERE `adminid`='" . $userinfo['adminid'] . "'"); + $result = Database::prepare(' + SELECT `firstname`, `name`, `company`, `email` FROM `' . TABLE_PANEL_CUSTOMERS . "` + WHERE `adminid` = :adminid" + ); + Database::pexecute($result, array('adminid' => $userinfo['adminid'])); } } else { standard_error('noreceipientsgiven'); @@ -62,8 +62,11 @@ if ($page == 'message') { $mail->Body = $message; $mail->Subject = $subject; - while ($row = $db->fetch_array($result)) { - $mail->AddAddress($row['email'], (isset($row['firstname']) ? $row['firstname'] . ' ' : '') . $row['name']); + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { + + $row['firstname'] = isset($row['firstname']) ? $row['firstname'] : ''; + $row['company'] = isset($row['company']) ? $row['company'] : ''; + $mail->AddAddress($row['email'], getCorrectUserSalutation(array('firstname' => $row['firstname'], 'name' => $row['name'], 'company' => $row['company']))); $mail->From = $userinfo['email']; $mail->FromName = (isset($userinfo['firstname']) ? $userinfo['firstname'] . ' ' : '') . $userinfo['name']; @@ -82,7 +85,7 @@ if ($page == 'message') { $mail->ClearAddresses(); } - redirectTo($filename, Array('page' => $page, 's' => $s, 'action' => 'showsuccess', 'sentitems' => $mailcounter)); + redirectTo($filename, array('page' => $page, 's' => $s, 'action' => 'showsuccess', 'sentitems' => $mailcounter)); } else { standard_error('nomessagetosend'); } @@ -90,6 +93,7 @@ if ($page == 'message') { } if ($action == 'showsuccess') { + $success = 1; $sentitems = isset($_GET['sentitems']) ? (int)$_GET['sentitems'] : 0; @@ -98,13 +102,14 @@ if ($page == 'message') { } else { $successmessage = str_replace('%s', $sentitems, $lng['message']['success']); } + } else { $success = 0; $sentitems = 0; $successmessage = ''; } - $action = ''; + $action = ''; $receipients = ''; if ($userinfo['customers_see_all'] == '1') { diff --git a/admin_phpsettings.php b/admin_phpsettings.php index cb093299..02a53258 100644 --- a/admin_phpsettings.php +++ b/admin_phpsettings.php @@ -18,11 +18,6 @@ */ define('AREA', 'admin'); - -/** - * Include our init.php, which manages Sessions, Language etc. - */ - require ("./lib/init.php"); if (isset($_POST['id'])) { @@ -37,27 +32,27 @@ if ($page == 'overview') { $tablecontent = ''; $count = 0; - $result = $db->query("SELECT * FROM `" . TABLE_PANEL_PHPCONFIGS . "`"); + $result = Database::query("SELECT * FROM `" . TABLE_PANEL_PHPCONFIGS . "`"); - while ($row = $db->fetch_array($result)) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $domainresult = false; $query = "SELECT * FROM `".TABLE_PANEL_DOMAINS."` - WHERE `phpsettingid` = '".(int)$row['id']."' + WHERE `phpsettingid` = :id AND `parentdomainid` = '0'"; if ((int)$userinfo['domains_see_all'] == 0) { - $query .= " AND `adminid` = '".(int)$userinfo['userid']."'"; + $query .= " AND `adminid` = :adminid"; } if ((int)$settings['panel']['phpconfigs_hidestdsubdomain'] == 1) { - $query2 = "SELECT DISTINCT `standardsubdomain` - FROM `".TABLE_PANEL_CUSTOMERS."` - WHERE `standardsubdomain` > 0 ORDER BY `standardsubdomain` ASC;"; - $ssdids_res = $db->query($query2); + $ssdids_res = Database::query(" + SELECT DISTINCT `standardsubdomain` FROM `".TABLE_PANEL_CUSTOMERS."` + WHERE `standardsubdomain` > 0 ORDER BY `standardsubdomain` ASC;" + ); $ssdids = array(); - while ($ssd = $db->fetch_array($ssdids_res)) { + while ($ssd = $ssdids_res->fetch(PDO::FETCH_ASSOC)) { $ssdids[] = $ssd['standardsubdomain']; } if (count($ssdids) > 0) { @@ -65,17 +60,17 @@ if ($page == 'overview') { } } - $domainresult = $db->query($query); + $domainresult_stmt = Database::prepare($query); + Database::pexecute($domainresult_stmt, array('id' => $id, 'adminid' => $userinfo['adminid'])); $domains = ''; - if ($db->num_rows($domainresult) > 0) { - while ($row2 = $db->fetch_array($domainresult)) { + if (Database::num_rows() > 0) { + while ($row2 = $domainresult_stmt->fetch(PDO::FETCH_ASSOC)) { $domains.= $row2['domain'] . '
'; } } else { $domains = $lng['admin']['phpsettings']['notused']; } - $count ++; eval("\$tablecontent.=\"" . getTemplate("phpconfig/overview_overview") . "\";"); } @@ -84,13 +79,13 @@ if ($page == 'overview') { eval("echo \"" . getTemplate("phpconfig/overview") . "\";"); } - if($action == 'add') - { - if((int)$userinfo['change_serversettings'] == 1) - { - if(isset($_POST['send']) - && $_POST['send'] == 'send') - { + if ($action == 'add') { + + if ((int)$userinfo['change_serversettings'] == 1) { + + if (isset($_POST['send']) + && $_POST['send'] == 'send' + ) { $description = validate($_POST['description'], 'description'); $binary = makeCorrectFile(validate($_POST['binary'], 'binary')); $file_extensions = validate($_POST['file_extensions'], 'file_extensions', '/^[a-zA-Z0-9\s]*$/'); @@ -98,20 +93,39 @@ if ($page == 'overview') { $mod_fcgid_starter = validate($_POST['mod_fcgid_starter'], 'mod_fcgid_starter', '/^[0-9]*$/', '', array('-1', '')); $mod_fcgid_maxrequests = validate($_POST['mod_fcgid_maxrequests'], 'mod_fcgid_maxrequests', '/^[0-9]*$/', '', array('-1', '')); - if(strlen($description) == 0 - || strlen($description) > 50) - { + if (strlen($description) == 0 + || strlen($description) > 50 + ) { standard_error('descriptioninvalid'); } - $db->query("INSERT INTO `" . TABLE_PANEL_PHPCONFIGS . "` SET `description` = '" . $db->escape($description) . "', `binary` = '" . $db->escape($binary) . "', `file_extensions` = '" . $db->escape($file_extensions) . "', `mod_fcgid_starter` = '" . $db->escape($mod_fcgid_starter) . "', `mod_fcgid_maxrequests` = '" . $db->escape($mod_fcgid_maxrequests) . "', `phpsettings` = '" . $db->escape($phpsettings) . "'"); + $ins_stmt = Database::prepare(" + INSERT INTO `" . TABLE_PANEL_PHPCONFIGS . "` SET + `description` = :desc, + `binary` = :binary, + `file_extensions` = :fext, + `mod_fcgid_starter` = :starter, + `mod_fcgid_maxrequests` = :mreq, + `phpsettings` = :phpsettings" + ); + $ins_data = array( + 'desc' => $description, + 'binary' => $binary, + 'fext' => $file_extensions, + 'starter' => $mod_fcgid_starter, + 'mreq' => $mod_fcgid_maxrequests, + 'phpsettings' => $phpsettings + ); + Database::pexecute($ins_stmt, $ins_data); + inserttask('1'); $log->logAction(ADM_ACTION, LOG_INFO, "php.ini setting with description '" . $description . "' has been created by '" . $userinfo['loginname'] . "'"); - redirectTo($filename, Array('page' => $page, 's' => $s)); - } - else - { - $result = $db->query_first("SELECT * FROM `" . TABLE_PANEL_PHPCONFIGS . "` WHERE `id` = 1"); + redirectTo($filename, array('page' => $page, 's' => $s)); + + } else { + + $result_stmt = Database::query("SELECT * FROM `" . TABLE_PANEL_PHPCONFIGS . "` WHERE `id` = 1"); + $result = $result_stmt->fetch(PDO::FETCH_ASSOC); $phpconfig_add_data = include_once dirname(__FILE__).'/lib/formfields/admin/phpconfig/formfield.phpconfig_add.php'; $phpconfig_add_form = htmlform::genHTMLForm($phpconfig_add_data); @@ -121,53 +135,70 @@ if ($page == 'overview') { eval("echo \"" . getTemplate("phpconfig/overview_add") . "\";"); } - } - else - { + + } else { standard_error('nopermissionsorinvalidid'); } } - if($action == 'delete') - { - $result = $db->query_first("SELECT * FROM `" . TABLE_PANEL_PHPCONFIGS . "` WHERE `id` = " . (int)$id); + if ($action == 'delete') { + + $result_stmt = Database::prepare(" + SELECT * FROM `" . TABLE_PANEL_PHPCONFIGS . "` WHERE `id` = :id" + ); + Database::pexecute($result_stmt, array('id' => $id)); + $result = $result_stmt->fetch(PDO::FETCH_ASSOC); + + if ($result['id'] != 0 + && $result['id'] == $id + && (int)$userinfo['change_serversettings'] == 1 + && $id != 1 // cannot delete the default php.config + ) { + + if (isset($_POST['send']) + && $_POST['send'] == 'send' + ) { + // set php-config to default for all domains using the + // config that is to be deleted + $upd_stmt = Database::prepare(" + UPDATE `" . TABLE_PANEL_DOMAINS . "` SET + `phpsettingid` = 1 WHERE `phpsettingid` = :id" + ); + Database::pexecute($upd_stmt, array('id' => $id)); + + $del_stmt = Database::prepare(" + DELETE FROM `" . TABLE_PANEL_PHPCONFIGS . "` WHERE `id` = :id" + ); + Database::pexecute($del_stmt, array('id' => $id)); - if($result['id'] != 0 - && $result['id'] == $id - && (int)$userinfo['change_serversettings'] == 1 - && $id != 1) - { - if(isset($_POST['send']) - && $_POST['send'] == 'send') - { - $db->query("UPDATE `" . TABLE_PANEL_DOMAINS . "` SET `phpsettingid` = 1 WHERE `phpsettingid` = " . (int)$id); - $db->query("DELETE FROM `" . TABLE_PANEL_PHPCONFIGS . "` WHERE `id` = " . (int)$id); inserttask('1'); $log->logAction(ADM_ACTION, LOG_INFO, "php.ini setting with id #" . (int)$id . " has been deleted by '" . $userinfo['loginname'] . "'"); - redirectTo($filename, Array('page' => $page, 's' => $s)); - } - else - { + redirectTo($filename, array('page' => $page, 's' => $s)); + + } else { ask_yesno('phpsetting_reallydelete', $filename, array('id' => $id, 'page' => $page, 'action' => $action), $result['description']); } - } - else - { + } else { standard_error('nopermissionsorinvalidid'); } } - if($action == 'edit') - { - $result = $db->query_first("SELECT * FROM `" . TABLE_PANEL_PHPCONFIGS . "` WHERE `id` = " . (int)$id); + if ($action == 'edit') { - if($result['id'] != 0 - && $result['id'] == $id - && (int)$userinfo['change_serversettings'] == 1) - { - if(isset($_POST['send']) - && $_POST['send'] == 'send') - { + $result_stmt = Database::prepare(" + SELECT * FROM `" . TABLE_PANEL_PHPCONFIGS . "` WHERE `id` = :id" + ); + Database::pexecute($result_stmt, array('id' => $id)); + $result = $result_stmt->fetch(PDO::FETCH_ASSOC); + + if ($result['id'] != 0 + && $result['id'] == $id + && (int)$userinfo['change_serversettings'] == 1 + ) { + + if (isset($_POST['send']) + && $_POST['send'] == 'send' + ) { $description = validate($_POST['description'], 'description'); $binary = makeCorrectFile(validate($_POST['binary'], 'binary')); $file_extensions = validate($_POST['file_extensions'], 'file_extensions', '/^[a-zA-Z0-9\s]*$/'); @@ -175,19 +206,39 @@ if ($page == 'overview') { $mod_fcgid_starter = validate($_POST['mod_fcgid_starter'], 'mod_fcgid_starter', '/^[0-9]*$/', '', array('-1', '')); $mod_fcgid_maxrequests = validate($_POST['mod_fcgid_maxrequests'], 'mod_fcgid_maxrequests', '/^[0-9]*$/', '', array('-1', '')); - if(strlen($description) == 0 - || strlen($description) > 50) - { + if (strlen($description) == 0 + || strlen($description) > 50 + ) { standard_error('descriptioninvalid'); } - $db->query("UPDATE `" . TABLE_PANEL_PHPCONFIGS . "` SET `description` = '" . $db->escape($description) . "', `binary` = '" . $db->escape($binary) . "', `file_extensions` = '" . $db->escape($file_extensions) . "', `mod_fcgid_starter` = '" . $db->escape($mod_fcgid_starter) . "', `mod_fcgid_maxrequests` = '" . $db->escape($mod_fcgid_maxrequests) . "', `phpsettings` = '" . $db->escape($phpsettings) . "' WHERE `id` = " . (int)$id); + $upd_stmt = Database::prepare(" + UPDATE `" . TABLE_PANEL_PHPCONFIGS . "` SET + `description` = :desc, + `binary` = :binary, + `file_extensions` = :fext, + `mod_fcgid_starter` = :starter, + `mod_fcgid_maxrequests` = :mreq, + `phpsettings` = :phpsettings + WHERE `id` = :id" + ); + $upd_data = array( + 'desc' => $description, + 'binary' => $binary, + 'fext' => $file_extensions, + 'starter' => $mod_fcgid_starter, + 'mreq' => $mod_fcgid_maxrequests, + 'phpsettings' => $phpsettings, + 'id' => $id + ); + Database::pexecute($upd_stmt, $upd_data); + inserttask('1'); $log->logAction(ADM_ACTION, LOG_INFO, "php.ini setting with description '" . $description . "' has been changed by '" . $userinfo['loginname'] . "'"); - redirectTo($filename, Array('page' => $page, 's' => $s)); - } - else - { + redirectTo($filename, array('page' => $page, 's' => $s)); + + } else { + $phpconfig_edit_data = include_once dirname(__FILE__).'/lib/formfields/admin/phpconfig/formfield.phpconfig_edit.php'; $phpconfig_edit_form = htmlform::genHTMLForm($phpconfig_edit_data); @@ -196,12 +247,9 @@ if ($page == 'overview') { eval("echo \"" . getTemplate("phpconfig/overview_edit") . "\";"); } - } - else - { + + } else { standard_error('nopermissionsorinvalidid'); } } } - -?> diff --git a/admin_templates.php b/admin_templates.php index fb1c6685..268602f7 100644 --- a/admin_templates.php +++ b/admin_templates.php @@ -18,30 +18,21 @@ */ define('AREA', 'admin'); - -/** - * Include our init.php, which manages Sessions, Language etc. - */ - require ("./lib/init.php"); -if(isset($_POST['subjectid'])) -{ +if (isset($_POST['subjectid'])) { $subjectid = intval($_POST['subjectid']); $mailbodyid = intval($_POST['mailbodyid']); -} -elseif(isset($_GET['subjectid'])) -{ + +} elseif(isset($_GET['subjectid'])) { $subjectid = intval($_GET['subjectid']); $mailbodyid = intval($_GET['mailbodyid']); } -if(isset($_POST['id'])) -{ +if (isset($_POST['id'])) { $id = intval($_POST['id']); -} -elseif(isset($_GET['id'])) -{ + +} elseif(isset($_GET['id'])) { $id = intval($_GET['id']); } @@ -60,6 +51,7 @@ if ((int)$settings['system']['report_enable'] == 1) { 'diskmaxpercent' ); } + if ((int)$settings['ticket']['enabled'] == 1) { array_push($available_templates, 'new_ticket_by_customer', @@ -74,32 +66,31 @@ $file_templates = array( 'index_html' ); -if($action == '') -{ +if ($action == '') { //email templates - $log->logAction(ADM_ACTION, LOG_NOTICE, "viewed admin_templates"); - if($settings['panel']['sendalternativemail'] == 1) - { + if ($settings['panel']['sendalternativemail'] == 1) { $available_templates[] = 'pop_success_alternative'; } $templates_array = array(); - $result = $db->query("SELECT `id`, `language`, `varname` FROM `" . TABLE_PANEL_TEMPLATES . "` WHERE `adminid`='" . (int)$userinfo['adminid'] . "' AND `templategroup`='mails' ORDER BY `language`, `varname`"); + $result_stmt = Database::prepare(" + SELECT `id`, `language`, `varname` FROM `" . TABLE_PANEL_TEMPLATES . "` + WHERE `adminid` = :adminid AND `templategroup`='mails' + ORDER BY `language`, `varname`" + ); + Database::pexecute($result_stmt, array('adminid' => $userinfo['adminid'])); - while($row = $db->fetch_array($result)) - { + while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) { $parts = array(); preg_match('/^([a-z]([a-z_]+[a-z])*)_(mailbody|subject)$/', $row['varname'], $parts); $templates_array[$row['language']][$parts[1]][$parts[3]] = $row['id']; } $templates = ''; - foreach($templates_array as $language => $template_defs) - { - foreach($template_defs as $action => $email) - { + foreach ($templates_array as $language => $template_defs) { + foreach ($template_defs as $action => $email) { $subjectid = $email['subject']; $mailbodyid = $email['mailbody']; $template = $lng['admin']['templates'][$action]; @@ -108,115 +99,137 @@ if($action == '') } $add = false; + while (list($language_file, $language_name) = each($languages)) { - while(list($language_file, $language_name) = each($languages)) - { $templates_done = array(); - $result = $db->query('SELECT `varname` FROM `' . TABLE_PANEL_TEMPLATES . '` WHERE `adminid`=\'' . (int)$userinfo['adminid'] . '\' AND `language`=\'' . $db->escape($language_name) . '\' AND `templategroup`=\'mails\' AND `varname` LIKE \'%_subject\''); + $result_stmt = Database::prepare(" + SELECT `varname` FROM `" . TABLE_PANEL_TEMPLATES . "` + WHERE `adminid` = :adminid AND `language`= :lang + AND `templategroup` = 'mails' AND `varname` LIKE '%_subject'" + ); + Database::pexecute($result_stmt, array('adminid' => $userinfo['adminid'], 'lang' => $language_name)); - while(($row = $db->fetch_array($result)) != false) - { + while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) { $templates_done[] = str_replace('_subject', '', $row['varname']); } - if(count(array_diff($available_templates, $templates_done)) > 0) - { + if (count(array_diff($available_templates, $templates_done)) > 0) { $add = true; } } //filetemplates - $filetemplates = ''; $filetemplateadd = false; - $result = $db->query("SELECT `id`, `varname` FROM `" . TABLE_PANEL_TEMPLATES . "` WHERE `adminid`='" . (int)$userinfo['adminid'] . "' AND `templategroup`='files'"); + $result_stmt = Database::prepare(" + SELECT `id`, `varname` FROM `" . TABLE_PANEL_TEMPLATES . "` + WHERE `adminid` = :adminid AND `templategroup`='files'" + ); + Database::pexecute($result_stmt, array('adminid' => $adminid)); - if($db->num_rows($result) != count($file_templates))$filetemplateadd = true; - - while($row = $db->fetch_array($result)) - { - eval("\$filetemplates.=\"" . getTemplate("templates/templates_filetemplate") . "\";"); + if (Database::num_rows() != count($file_templates)) { + $filetemplateadd = true; } + while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) { + eval("\$filetemplates.=\"" . getTemplate("templates/templates_filetemplate") . "\";"); + } eval("echo \"" . getTemplate("templates/templates") . "\";"); -} -elseif($action == 'delete' - && $subjectid != 0 - && $mailbodyid != 0) -{ + +} elseif($action == 'delete' + && $subjectid != 0 + && $mailbodyid != 0 +) { //email templates + $result_stmt = Database::prepare(" + SELECT `language`, `varname` FROM `" . TABLE_PANEL_TEMPLATES . "` + WHERE `adminid` = :adminid AND `id` = :id" + ); + Database::pexecute($result_stmt, array('adminid' => $userinfo['adminid'], 'id' => $subjectid)); + $result = $result_stmt->fetch(PDO::FETCH_ASSOC); - $result = $db->query_first("SELECT `language`, `varname` FROM `" . TABLE_PANEL_TEMPLATES . "` WHERE `adminid`='" . (int)$userinfo['adminid'] . "' AND `id`='" . (int)$subjectid . "'"); - - if($result['varname'] != '') - { - if(isset($_POST['send']) - && $_POST['send'] == 'send') - { - $db->query("DELETE FROM `" . TABLE_PANEL_TEMPLATES . "` WHERE `adminid`='" . (int)$userinfo['adminid'] . "' AND (`id`='" . (int)$subjectid . "' OR `id`='" . (int)$mailbodyid . "')"); + if ($result['varname'] != '') { + if (isset($_POST['send']) + && $_POST['send'] == 'send' + ) { + $del_stmt = Database::prepare(" + DELETE FROM `" . TABLE_PANEL_TEMPLATES . "` + WHERE `adminid` = :adminid + AND (`id` = :ida OR `id` = :idb)" + ); + Database::pexecute($del_stmt, array( + 'adminid' => $userinfo['adminid'], + 'ida' => $subjectid, + 'idb' => $mailbodyid + )); $log->logAction(ADM_ACTION, LOG_INFO, "deleted template '" . $result['language'] . ' - ' . $lng['admin']['templates'][str_replace('_subject', '', $result['varname'])] . "'"); - redirectTo($filename, Array('page' => $page, 's' => $s)); - } - else - { + redirectTo($filename, array('page' => $page, 's' => $s)); + + } else { ask_yesno('admin_template_reallydelete', $filename, array('subjectid' => $subjectid, 'mailbodyid' => $mailbodyid, 'page' => $page, 'action' => $action), $result['language'] . ' - ' . $lng['admin']['templates'][str_replace('_subject', '', $result['varname'])]); } } -} -elseif($action == 'deletef' - && $id != 0) -{ + +} elseif($action == 'deletef' + && $id != 0 +) { //file templates + $result_stmt = Database::prepare(" + SELECT * FROM `" . TABLE_PANEL_TEMPLATES . "` + WHERE `adminid` = :adminid AND `id` = :id" + ); + Database::pexecute($result_stmt, array('adminid' => $userinfo['adminid'], 'id' => $id)); - $result = $db->query("SELECT * FROM `" . TABLE_PANEL_TEMPLATES . "` WHERE `adminid`='" . (int)$userinfo['adminid'] . "' AND `id`='" . (int)$id . "'"); + if (Database::num_rows() > 0) { - if($db->num_rows($result) > 0) - { - $row = $db->fetch_array($result); + $row = $result_stmt->fetch(PDO::FETCH_ASSOC); - if(isset($_POST['send']) - && $_POST['send'] == 'send') - { - $db->query("DELETE FROM `" . TABLE_PANEL_TEMPLATES . "` WHERE `adminid`=" . (int)$userinfo['adminid'] . " AND `id`=" . (int)$id . ""); + if (isset($_POST['send']) + && $_POST['send'] == 'send' + ) { + $del_stmt = Database::prepare(" + DELETE FROM `" . TABLE_PANEL_TEMPLATES . "` + WHERE `adminid` = :adminid AND `id` = :id" + ); + Database::pexecute($del_stmt, array('adminid' => $userinfo['adminid'], 'id' => $id)); $log->logAction(ADM_ACTION, LOG_INFO, "deleted template '" . $lng['admin']['templates'][$row['varname']] . "'"); - redirectTo($filename, Array('page' => $page, 's' => $s)); - } - else - { + redirectTo($filename, array('page' => $page, 's' => $s)); + + } else { ask_yesno('admin_template_reallydelete', $filename, array('id' => $id, 'page' => $page, 'action' => $action), $lng['admin']['templates'][$row['varname']]); } - } - else - { + + } else { standard_error('templatenotfound'); exit; } -} -elseif($action == 'add') -{ - if($settings['panel']['sendalternativemail'] == 1) - { + +} elseif($action == 'add') { + + if ($settings['panel']['sendalternativemail'] == 1) { $available_templates[] = 'pop_success_alternative'; } - if(isset($_POST['prepare']) - && $_POST['prepare'] == 'prepare') - { + if (isset($_POST['prepare']) + && $_POST['prepare'] == 'prepare' + ) { //email templates - $language = validate($_POST['language'], 'language'); $templates = array(); - $result = $db->query('SELECT `varname` FROM `' . TABLE_PANEL_TEMPLATES . '` WHERE `adminid`=\'' . (int)$userinfo['adminid'] . '\' AND `language`=\'' . $db->escape($language) . '\' AND `templategroup`=\'mails\' AND `varname` LIKE \'%_subject\''); + $result_stmt = Database::prepare(" + SELECT `varname` FROM `" . TABLE_PANEL_TEMPLATES . "` + WHERE `adminid`= :adminid AND `language`= :lang + AND `templategroup` = 'mails' AND `varname` LIKE '%_subject\'" + ); + Database::pexecute($result_stmt, array('adminid' => $userinfo['adminid'], 'lang' => $language)); - while(($row = $db->fetch_array($result)) != false) - { + while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) { $templates[] = str_replace('_subject', '', $row['varname']); } $templates = array_diff($available_templates, $templates); $template_options = ''; - foreach($templates as $template) - { + foreach ($templates as $template) { $template_options.= makeoption($lng['admin']['templates'][$template], $template, NULL, true); } @@ -227,105 +240,143 @@ elseif($action == 'add') $image = $template_add_data['template_add']['image']; eval("echo \"" . getTemplate("templates/templates_add_2") . "\";"); - } - elseif(isset($_POST['send']) - && $_POST['send'] == 'send') - { - //email templates + } elseif(isset($_POST['send']) + && $_POST['send'] == 'send' + ) { + //email templates $language = validate($_POST['language'], 'language', '/^[^\r\n\0"\']+$/', 'nolanguageselect'); $template = validate($_POST['template'], 'template'); $subject = validate($_POST['subject'], 'subject', '/^[^\r\n\0]+$/', 'nosubjectcreate'); $mailbody = validate($_POST['mailbody'], 'mailbody', '/^[^\0]+$/', 'nomailbodycreate'); $templates = array(); - $result = $db->query('SELECT `varname` FROM `' . TABLE_PANEL_TEMPLATES . '` WHERE `adminid`=\'' . (int)$userinfo['adminid'] . '\' AND `language`=\'' . $db->escape($language) . '\' AND `templategroup`=\'mails\' AND `varname` LIKE \'%_subject\''); + $result_stmt = Database::prepare(" + SELECT `varname` FROM `" . TABLE_PANEL_TEMPLATES . "` + WHERE `adminid` = :adminid AND `language` = :lang + AND `templategroup` = 'mails' AND `varname` LIKE '%_subject'" + ); + Database::pexecute($result_stmt, array('adminid' => $userinfo['adminid'], 'lang' => $language)); - while(($row = $db->fetch_array($result)) != false) - { + while($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) { $templates[] = str_replace('_subject', '', $row['varname']); } $templates = array_diff($available_templates, $templates); - - if(array_search($template, $templates) === false) - { + if (array_search($template, $templates) === false) { standard_error('templatenotfound'); - } - else - { - $result = $db->query("INSERT INTO `" . TABLE_PANEL_TEMPLATES . "` (`adminid`, `language`, `templategroup`, `varname`, `value`) - VALUES ('" . (int)$userinfo['adminid'] . "', '" . $db->escape($language) . "', 'mails', '" . $db->escape($template) . "_subject','" . $db->escape($subject) . "')"); - $result = $db->query("INSERT INTO `" . TABLE_PANEL_TEMPLATES . "` (`adminid`, `language`, `templategroup`, `varname`, `value`) - VALUES ('" . (int)$userinfo['adminid'] . "', '" . $db->escape($language) . "', 'mails', '" . $db->escape($template) . "_mailbody','" . $db->escape($mailbody) . "')"); - $log->logAction(ADM_ACTION, LOG_INFO, "added template '" . $language . ' - ' . $template . "'"); - redirectTo($filename, Array('page' => $page, 's' => $s)); - } - } - elseif(isset($_POST['filesend']) - && $_POST['filesend'] == 'filesend') - { - //file templates + } else { + $ins_stmt = Database::prepare(" + INSERT INTO `" . TABLE_PANEL_TEMPLATES . "` SET + `adminid` = :adminid, + `language` = :lang, + `templategroup` = 'mails', + `varname` = :var, + `value` = :value" + ); + + // mail-subject + $ins_data = array( + 'adminid' => $userinfo['adminid'], + 'lang' => $language, + 'var' => $template.'_subject', + 'value' => $subject + ); + Database::pexecute($ins_stmt, $ins_data); + + // mail-body + $ins_data = array( + 'adminid' => $userinfo['adminid'], + 'lang' => $language, + 'var' => $template.'_mailbody', + 'value' => $mailbody + ); + Database::pexecute($ins_stmt, $ins_data); + + $log->logAction(ADM_ACTION, LOG_INFO, "added template '" . $language . ' - ' . $template . "'"); + redirectTo($filename, array('page' => $page, 's' => $s)); + } + + } elseif(isset($_POST['filesend']) + && $_POST['filesend'] == 'filesend' + ) { + //file templates $template = validate($_POST['template'], 'template'); $filecontent = validate($_POST['filecontent'], 'filecontent', '/^[^\0]+$/', 'filecontentnotset'); - $db->query("INSERT INTO `" . TABLE_PANEL_TEMPLATES . "` (`adminid`, `language`, `templategroup`, `varname`, `value`) - VALUES ('" . (int)$userinfo['adminid'] . "', '', 'files', '" . $db->escape($template) . "','" . $db->escape($filecontent) . "')"); - $log->logAction(ADM_ACTION, LOG_INFO, "added template '" . $template . "'"); - redirectTo($filename, Array('page' => $page, 's' => $s)); - } - elseif(!isset($_GET['files'])) - { - //email templates + $ins_stmt = Database::prepare(" + INSERT INTO `" . TABLE_PANEL_TEMPLATES . "` SET + `adminid` = :adminid, + `language` = '', + `templategroup` = 'files, + `varname` = :var, + `value` = :value" + ); + + $ins_data = array( + 'adminid' => $userinfo['adminid'], + 'var' => $template, + 'value' => $filecontent + ); + Database::pexecute($ins_stmt, $ins_data); + + $log->logAction(ADM_ACTION, LOG_INFO, "added template '" . $template . "'"); + redirectTo($filename, array('page' => $page, 's' => $s)); + + } elseif(!isset($_GET['files'])) { + + //email templates $add = false; $language_options = ''; - while(list($language_file, $language_name) = each($languages)) - { + while (list($language_file, $language_name) = each($languages)) { $templates = array(); - $result = $db->query('SELECT `varname` FROM `' . TABLE_PANEL_TEMPLATES . '` WHERE `adminid`=\'' . (int)$userinfo['adminid'] . '\' AND `language`=\'' . $db->escape($language_name) . '\' AND `templategroup`=\'mails\' AND `varname` LIKE \'%_subject\''); + $result_stmt = Database::prepare(" + SELECT `varname` FROM `" . TABLE_PANEL_TEMPLATES . "` + WHERE `adminid` = :adminid AND `language` = :lang + AND `templategroup` = 'mails' AND `varname` LIKE '%_subject'" + ); + Database::pexecute($result_stmt, array('adminid' => $userinfo['adminid'], 'lang' => $language_name)); - while(($row = $db->fetch_array($result)) != false) - { + while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) { $templates[] = str_replace('_subject', '', $row['varname']); } - if(count(array_diff($available_templates, $templates)) > 0) - { + if (count(array_diff($available_templates, $templates)) > 0) { $add = true; $language_options.= makeoption($language_name, $language_file, $userinfo['language'], true); } } - if($add) - { + if ($add) { eval("echo \"" . getTemplate("templates/templates_add_1") . "\";"); - } - else - { + } else { standard_error('alltemplatesdefined'); exit; } - } - else - { + + } else { //filetemplates + $result_stmt = Database::prepare(" + SELECT `id`, `varname` FROM `" . TABLE_PANEL_TEMPLATES . "` + WHERE `adminid` = :adminid AND `templategroup`='files'" + ); + Database::pexecute($result_stmt, array('adminid' => $userinfo['adminid'])); - $result = $db->query("SELECT `id`, `varname` FROM `" . TABLE_PANEL_TEMPLATES . "` WHERE `adminid`='" . (int)$userinfo['adminid'] . "' AND `templategroup`='files'"); - - if($db->num_rows($result) == count($file_templates)) - { + if (Database::num_rows() == count($file_templates)) { standard_error('alltemplatesdefined'); exit; - } - else - { + + } else { + $templatesdefined = array(); $free_templates = ''; - while($row = $db->fetch_array($result))$templatesdefined[] = $row['varname']; - foreach(array_diff($file_templates, $templatesdefined) as $template) - { + while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) { + $templatesdefined[] = $row['varname']; + } + + foreach (array_diff($file_templates, $templatesdefined) as $template) { $free_templates.= makeoption($lng['admin']['templates'][$template], $template, '', true); } @@ -338,33 +389,61 @@ elseif($action == 'add') eval("echo \"" . getTemplate("templates/filetemplates_add") . "\";"); } } -} -elseif($action == 'edit' - && $subjectid != 0 - && $mailbodyid != 0) -{ + +} elseif($action == 'edit' + && $subjectid != 0 + && $mailbodyid != 0 +) { //email templates + $result_stmt = Database::prepare(" + SELECT `language`, `varname`, `value` FROM `" . TABLE_PANEL_TEMPLATES . "` + WHERE `adminid` = :adminid AND `id` = :subjectid" + ); + Database::pexecute($result_stmt, array('adminid' => $userinfo['adminid'], 'subjectid' => $subjectid)); + $result = $result_stmt->fetch(PDO::FETCH_ASSOC); - $result = $db->query_first("SELECT `language`, `varname`, `value` FROM `" . TABLE_PANEL_TEMPLATES . "` WHERE `adminid`='" . (int)$userinfo['adminid'] . "' AND `id`='" . (int)$subjectid . "'"); + if ($result['varname'] != '') { - if($result['varname'] != '') - { - if(isset($_POST['send']) - && $_POST['send'] == 'send') - { + if (isset($_POST['send']) + && $_POST['send'] == 'send' + ) { $subject = validate($_POST['subject'], 'subject', '/^[^\r\n\0]+$/', 'nosubjectcreate'); $mailbody = validate($_POST['mailbody'], 'mailbody', '/^[^\0]+$/', 'nomailbodycreate'); - $db->query("UPDATE `" . TABLE_PANEL_TEMPLATES . "` SET `value`='" . $db->escape($subject) . "' WHERE `adminid`='" . (int)$userinfo['adminid'] . "' AND `id`='" . (int)$subjectid . "'"); - $db->query("UPDATE `" . TABLE_PANEL_TEMPLATES . "` SET `value`='" . $db->escape($mailbody) . "' WHERE `adminid`='" . (int)$userinfo['adminid'] . "' AND `id`='" . (int)$mailbodyid . "'"); + + $upd_stmt = Database::prepare(" + UPDATE `" . TABLE_PANEL_TEMPLATES . "` SET + `value` = :value + WHERE `adminid` = :adminid AND `id` = :id" + ); + // subject + Database::pexecute($upd_stmt, array( + 'value' => $subject, + 'adminid' => $userinfo['adminid'], + 'id' => $subjectid + )); + // same query but mailbody + Database::pexecute($upd_stmt, array( + 'value' => $mailbody, + 'adminid' => $userinfo['adminid'], + 'id' => $mailbodyid + )); + $log->logAction(ADM_ACTION, LOG_INFO, "edited template '" . $result['varname'] . "'"); - redirectTo($filename, Array('page' => $page, 's' => $s)); - } - else - { + redirectTo($filename, array('page' => $page, 's' => $s)); + + } else { + $result = htmlentities_array($result); $template = $lng['admin']['templates'][str_replace('_subject', '', $result['varname'])]; $subject = $result['value']; - $result = $db->query_first("SELECT `language`, `varname`, `value` FROM `" . TABLE_PANEL_TEMPLATES . "` WHERE `id`='$mailbodyid'"); + $result_stmt = Database::prepare(" + SELECT `language`, `varname`, `value` + FROM `" . TABLE_PANEL_TEMPLATES . "` + WHERE `id` = :id" + ); + Database::pexecute($result_stmt, array('id' => $mailbodyid)); + $result = $result_stmt->fetch(PDO::FETCH_ASSOC); + $result = htmlentities_array($result); $mailbody = $result['value']; @@ -377,30 +456,41 @@ elseif($action == 'edit' eval("echo \"" . getTemplate("templates/templates_edit") . "\";"); } } -} -elseif($action == 'editf' - && $id != 0) -{ + +} elseif($action == 'editf' + && $id != 0 +) { //file templates + $result_stmt = Database::prepare(" + SELECT * FROM `" . TABLE_PANEL_TEMPLATES . "` + WHERE `adminid` = :adminid AND `id` = :id" + ); + Database::pexecute($result_stmt, array('adminid' => $userinfo['adminid'], 'id' => $id)); - $result = $db->query("SELECT * FROM `" . TABLE_PANEL_TEMPLATES . "` WHERE `adminid`='" . (int)$userinfo['adminid'] . "' AND `id`='" . (int)$id . "'"); + if(Database::num_rows() > 0) { - if($db->num_rows($result) > 0) - { - $row = $db->fetch_array($result); + $row = $result_stmt->fetch(PDO::FETCH_ASSOC); //filetemplates - - if(isset($_POST['filesend']) - && $_POST['filesend'] == 'filesend') - { + if (isset($_POST['filesend']) + && $_POST['filesend'] == 'filesend' + ) { $filecontent = validate($_POST['filecontent'], 'filecontent', '/^[^\0]+$/', 'filecontentnotset'); - $db->query("UPDATE `" . TABLE_PANEL_TEMPLATES . "` SET `value`='" . $db->escape($filecontent) . "' WHERE `adminid`='" . (int)$userinfo['adminid'] . "' AND `id`='" . (int)$id . "'"); + $upd_stmt = Database::prepare(" + UPDATE `" . TABLE_PANEL_TEMPLATES . "` SET + `value` = :value + WHERE `adminid` = :adminid AND `id` = :id" + ); + Database::pexecute($upd_stmt, array( + 'value' => $filecontent, + 'adminid' => $userinfo['adminid'], + 'id' => $id + )); + $log->logAction(ADM_ACTION, LOG_INFO, "edited template '" . $row['varname'] . "'"); - redirectTo($filename, Array('page' => $page, 's' => $s)); - } - else - { + redirectTo($filename, array('page' => $page, 's' => $s)); + + } else { $row = htmlentities_array($row); $filetemplate_edit_data = include_once dirname(__FILE__).'/lib/formfields/admin/templates/formfield.filetemplate_edit.php'; @@ -411,9 +501,8 @@ elseif($action == 'editf' eval("echo \"" . getTemplate("templates/filetemplates_edit") . "\";"); } - } - else - { + + } else { standard_error('templatenotfound'); exit; }