# HG changeset patch # User Dan # Date 1193441334 14400 # Node ID 473cc747022a57d44cb2baec8b542c79c01b96c1 # Parent ebe99e82a59ac6e1518c189302a0333f42bd6b0b# Parent 8e2fffc5c622b5665ed59e8d20d874daf3005577 You know what folks, a lot of Mercurial merges failed, and I just now figured out why. So now all changes from stable are permanently synced in. diff -r ebe99e82a59a -r 473cc747022a ajax.php --- a/ajax.php Sat Oct 20 21:44:13 2007 -0400 +++ b/ajax.php Fri Oct 26 19:28:54 2007 -0400 @@ -1,410 +1,410 @@ -connect(); - - // should be connected now - $name = (isset($_GET['name'])) ? $db->escape($_GET['name']) : false; - if ( !$name ) - { - die('userlist = new Array(); errorstring=\'Invalid URI\''); - } - $q = $db->sql_query('SELECT username,user_id FROM '.table_prefix.'users WHERE lcase(username) LIKE lcase(\'%'.$name.'%\');'); - if ( !$q ) - { - die('userlist = new Array(); errorstring=\'MySQL error selecting username data: '.addslashes(mysql_error()).'\''); - } - if($db->numrows() < 1) - { - die('userlist = new Array(); errorstring=\'No usernames found\';'); - } - echo 'var errorstring = false; userlist = new Array();'; - $i = 0; - while($r = $db->fetchrow()) - { - echo "userlist[$i] = '".addslashes($r['username'])."'; "; - $i++; - } - $db->free_result(); - - // all done! :-) - $db->close(); - exit; - } - - require('includes/common.php'); - - global $db, $session, $paths, $template, $plugins; // Common objects - if(!isset($_GET['_mode'])) die('This script cannot be accessed directly.'); - - $_ob = ''; - - switch($_GET['_mode']) { - case "checkusername": - echo PageUtils::checkusername($_GET['name']); - break; - case "getsource": - $p = ( isset($_GET['pagepass']) ) ? $_GET['pagepass'] : false; - echo PageUtils::getsource($paths->page, $p); - break; - case "getpage": - // echo PageUtils::getpage($paths->page, false, ( (isset($_GET['oldid'])) ? $_GET['oldid'] : false )); - $revision_id = ( (isset($_GET['oldid'])) ? intval($_GET['oldid']) : 0 ); - $page = new PageProcessor( $paths->cpage['urlname_nons'], $paths->namespace, $revision_id ); - - $pagepass = ( isset($_REQUEST['pagepass']) ) ? $_REQUEST['pagepass'] : ''; - $page->password = $pagepass; - - $page->send(); - break; - case "savepage": - $summ = ( isset($_POST['summary']) ) ? $_POST['summary'] : ''; - $minor = isset($_POST['minor']); - $e = PageUtils::savepage($paths->cpage['urlname_nons'], $paths->namespace, $_POST['text'], $summ, $minor); - if($e=='good') - { - $page = new PageProcessor($paths->cpage['urlname_nons'], $paths->namespace); - $page->send(); - } - else - { - echo 'Error saving the page: '.$e; - } - break; - case "protect": - echo PageUtils::protect($paths->cpage['urlname_nons'], $paths->namespace, (int)$_POST['level'], $_POST['reason']); - break; - case "histlist": - echo PageUtils::histlist($paths->cpage['urlname_nons'], $paths->namespace); - break; - case "rollback": - echo PageUtils::rollback( (int)$_GET['id'] ); - break; - case "comments": - $comments = new Comments($paths->cpage['urlname_nons'], $paths->namespace); - if ( isset($_POST['data']) ) - { - $comments->process_json($_POST['data']); - } - else - { - die('{ "mode" : "error", "error" : "No input" }'); - } - break; - case "rename": - echo PageUtils::rename($paths->cpage['urlname_nons'], $paths->namespace, $_POST['newtitle']); - break; - case "flushlogs": - echo PageUtils::flushlogs($paths->cpage['urlname_nons'], $paths->namespace); - break; - case "deletepage": - $reason = ( isset($_POST['reason']) ) ? $_POST['reason'] : false; - if ( empty($reason) ) - die('Please enter a reason for deleting this page.'); - echo PageUtils::deletepage($paths->cpage['urlname_nons'], $paths->namespace, $reason); - break; - case "delvote": - echo PageUtils::delvote($paths->cpage['urlname_nons'], $paths->namespace); - break; - case "resetdelvotes": - echo PageUtils::resetdelvotes($paths->cpage['urlname_nons'], $paths->namespace); - break; - case "getstyles": - echo PageUtils::getstyles($_GET['id']); - break; - case "catedit": - echo PageUtils::catedit($paths->cpage['urlname_nons'], $paths->namespace); - break; - case "catsave": - echo PageUtils::catsave($paths->cpage['urlname_nons'], $paths->namespace, $_POST); - break; - case "setwikimode": - echo PageUtils::setwikimode($paths->cpage['urlname_nons'], $paths->namespace, (int)$_GET['mode']); - break; - case "setpass": - echo PageUtils::setpass($paths->cpage['urlname_nons'], $paths->namespace, $_POST['password']); - break; - case "fillusername": - break; - case "fillpagename": - $name = (isset($_GET['name'])) ? $_GET['name'] : false; - if(!$name) die('userlist = new Array(); namelist = new Array(); errorstring=\'Invalid URI\''); - $nd = RenderMan::strToPageID($name); - $c = 0; - $u = Array(); - $n = Array(); - - $name = sanitize_page_id($name); - $name = str_replace('_', ' ', $name); - - for($i=0;$ipages)/2;$i++) - { - if( ( - preg_match('#'.preg_quote($name).'(.*)#i', $paths->pages[$i]['name']) || - preg_match('#'.preg_quote($name).'(.*)#i', $paths->pages[$i]['urlname']) || - preg_match('#'.preg_quote($name).'(.*)#i', $paths->pages[$i]['urlname_nons']) || - preg_match('#'.preg_quote(str_replace(' ', '_', $name)).'(.*)#i', $paths->pages[$i]['name']) || - preg_match('#'.preg_quote(str_replace(' ', '_', $name)).'(.*)#i', $paths->pages[$i]['urlname']) || - preg_match('#'.preg_quote(str_replace(' ', '_', $name)).'(.*)#i', $paths->pages[$i]['urlname_nons']) - ) && - ( ( $nd[1] != 'Article' && $paths->pages[$i]['namespace'] == $nd[1] ) || $nd[1] == 'Article' ) - && $paths->pages[$i]['visible'] - ) - { - $c++; - $u[] = $paths->pages[$i]['name']; - $n[] = $paths->pages[$i]['urlname']; - } - } - if($c > 0) - { - echo 'userlist = new Array(); namelist = new Array(); errorstring = false; '."\n"; - for($i=0;$iInvalid request.

'; $template->footer(); break; } - if(!preg_match('#^([0-9]+)$#', (string)$_GET['diff1']) || - !preg_match('#^([0-9]+)$#', (string)$_GET['diff2'] )) { echo '

SQL injection attempt

'; $template->footer(); break; } - echo PageUtils::pagediff($paths->cpage['urlname_nons'], $paths->namespace, $id1, $id2); - break; - case "jsres": - die('// ERROR: this section is deprecated and has moved to includes/clientside/static/enano-lib-basic.js.'); - break; - case "rdns": - if(!$session->get_permissions('mod_misc')) die('Go somewhere else for your reverse DNS info!'); - $ip = $_GET['ip']; - $rdns = gethostbyaddr($ip); - if($rdns == $ip) echo 'Unable to get reverse DNS information. Perhaps the DNS server is down or the PTR record no longer exists.'; - else echo $rdns; - break; - case 'acljson': - $parms = ( isset($_POST['acl_params']) ) ? rawurldecode($_POST['acl_params']) : false; - echo PageUtils::acl_json($parms); - break; - case "change_theme": - if ( !isset($_POST['theme_id']) || !isset($_POST['style_id']) ) - { - die('Invalid input'); - } - if ( !preg_match('/^([a-z0-9_-]+)$/i', $_POST['theme_id']) || !preg_match('/^([a-z0-9_-]+)$/i', $_POST['style_id']) ) - { - die('Invalid input'); - } - if ( !file_exists(ENANO_ROOT . '/themes/' . $_POST['theme_id'] . '/css/' . $_POST['style_id'] . '.css') ) - { - die('Can\'t find theme file: ' . ENANO_ROOT . '/themes/' . $_POST['theme_id'] . '/css/' . $_POST['style_id'] . '.css'); - } - if ( !$session->user_logged_in ) - { - die('You must be logged in to change your theme'); - } - // Just in case something slipped through... - $theme_id = $db->escape($_POST['theme_id']); - $style_id = $db->escape($_POST['style_id']); - $e = $db->sql_query('UPDATE ' . table_prefix . "users SET theme='$theme_id', style='$style_id' WHERE user_id=$session->user_id;"); - if ( !$e ) - die( $db->get_error() ); - die('GOOD'); - break; - case 'get_tags': - $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); - - $ret = array('tags' => array(), 'user_level' => $session->user_level, 'can_add' => $session->get_permissions('tag_create')); - $q = $db->sql_query('SELECT t.tag_id, t.tag_name, pg.pg_target IS NOT NULL AS used_in_acl, t.user FROM '.table_prefix.'tags AS t - LEFT JOIN '.table_prefix.'page_groups AS pg - ON ( ( pg.pg_type = ' . PAGE_GRP_TAGGED . ' AND pg.pg_target=t.tag_name ) OR ( pg.pg_type IS NULL AND pg.pg_target IS NULL ) ) - WHERE t.page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND t.namespace=\'' . $db->escape($paths->namespace) . '\';'); - if ( !$q ) - $db->_die(); - - while ( $row = $db->fetchrow() ) - { - $can_del = true; - - $perm = ( $row['user'] != $session->user_id ) ? - 'tag_delete_other' : - 'tag_delete_own'; - - if ( $row['user'] == 1 && !$session->user_logged_in ) - // anonymous user trying to delete tag (hardcode blacklisted) - $can_del = false; - - if ( !$session->get_permissions($perm) ) - $can_del = false; - - if ( $row['used_in_acl'] == 1 && !$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN ) - $can_del = false; - - $ret['tags'][] = array( - 'id' => $row['tag_id'], - 'name' => $row['tag_name'], - 'can_del' => $can_del, - 'acl' => ( $row['used_in_acl'] == 1 ) - ); - } - - echo $json->encode($ret); - - break; - case 'addtag': - $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); - $resp = array( - 'success' => false, - 'error' => 'No error', - 'can_del' => ( $session->get_permissions('tag_delete_own') && $session->user_logged_in ), - 'in_acl' => false - ); - - // first of course, are we allowed to tag pages? - if ( !$session->get_permissions('tag_create') ) - { - $resp['error'] = 'You are not permitted to tag pages.'; - die($json->encode($resp)); - } - - // sanitize the tag name - $tag = sanitize_tag($_POST['tag']); - $tag = $db->escape($tag); - - if ( strlen($tag) < 2 ) - { - $resp['error'] = 'Tags must consist of at least 2 alphanumeric characters.'; - die($json->encode($resp)); - } - - // check if tag is already on page - $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'tags WHERE page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND namespace=\'' . $db->escape($paths->namespace) . '\' AND tag_name=\'' . $tag . '\';'); - if ( !$q ) - $db->_die(); - if ( $db->numrows() > 0 ) - { - $resp['error'] = 'This page already has this tag.'; - die($json->encode($resp)); - } - $db->free_result(); - - // tricky: make sure this tag isn't being used in some page group, and thus adding it could affect page access - $can_edit_acl = ( $session->get_permissions('edit_acl') || $session->user_level >= USER_LEVEL_ADMIN ); - $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'page_groups WHERE pg_type=' . PAGE_GRP_TAGGED . ' AND pg_target=\'' . $tag . '\';'); - if ( !$q ) - $db->_die(); - if ( $db->numrows() > 0 && !$can_edit_acl ) - { - $resp['error'] = 'This tag is used in an ACL page group, and thus can\'t be added to a page by people without administrator privileges.'; - die($json->encode($resp)); - } - $resp['in_acl'] = ( $db->numrows() > 0 ); - $db->free_result(); - - // we're good - $q = $db->sql_query('INSERT INTO '.table_prefix.'tags(tag_name,page_id,namespace,user) VALUES(\'' . $tag . '\', \'' . $db->escape($paths->cpage['urlname_nons']) . '\', \'' . $db->escape($paths->namespace) . '\', ' . $session->user_id . ');'); - if ( !$q ) - $db->_die(); - - $resp['success'] = true; - $resp['tag'] = $tag; - $resp['tag_id'] = $db->insert_id(); - - echo $json->encode($resp); - break; - case 'deltag': - - $tag_id = intval($_POST['tag_id']); - if ( empty($tag_id) ) - die('Invalid tag ID'); - - $q = $db->sql_query('SELECT t.tag_id, t.user, t.page_id, t.namespace, pg.pg_target IS NOT NULL AS used_in_acl FROM '.table_prefix.'tags AS t - LEFT JOIN '.table_prefix.'page_groups AS pg - ON ( pg.pg_id IS NULL OR ( pg.pg_target = t.tag_name AND pg.pg_type = ' . PAGE_GRP_TAGGED . ' ) ) - WHERE t.tag_id=' . $tag_id . ';'); - - if ( !$q ) - $db->_die(); - - if ( $db->numrows() < 1 ) - die('Could not find a tag with that ID'); - - $row = $db->fetchrow(); - $db->free_result(); - - if ( $row['page_id'] == $paths->cpage['urlname_nons'] && $row['namespace'] == $paths->namespace ) - $perms =& $session; - else - $perms = $session->fetch_page_acl($row['page_id'], $row['namespace']); - - $perm = ( $row['user'] != $session->user_id ) ? - 'tag_delete_other' : - 'tag_delete_own'; - - if ( $row['user'] == 1 && !$session->user_logged_in ) - // anonymous user trying to delete tag (hardcode blacklisted) - die('You are not authorized to delete this tag.'); - - if ( !$perms->get_permissions($perm) ) - die('You are not authorized to delete this tag.'); - - if ( $row['used_in_acl'] == 1 && !$perms->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN ) - die('You are not authorized to delete this tag.'); - - // We're good - $q = $db->sql_query('DELETE FROM '.table_prefix.'tags WHERE tag_id = ' . $tag_id . ';'); - if ( !$q ) - $db->_die(); - - echo 'success'; - - break; - case 'ping': - echo 'pong'; - break; - default: - die('Hacking attempt'); - break; - } - +connect(); + + // should be connected now + $name = (isset($_GET['name'])) ? $db->escape($_GET['name']) : false; + if ( !$name ) + { + die('userlist = new Array(); errorstring=\'Invalid URI\''); + } + $q = $db->sql_query('SELECT username,user_id FROM '.table_prefix.'users WHERE lcase(username) LIKE lcase(\'%'.$name.'%\');'); + if ( !$q ) + { + die('userlist = new Array(); errorstring=\'MySQL error selecting username data: '.addslashes(mysql_error()).'\''); + } + if($db->numrows() < 1) + { + die('userlist = new Array(); errorstring=\'No usernames found\';'); + } + echo 'var errorstring = false; userlist = new Array();'; + $i = 0; + while($r = $db->fetchrow()) + { + echo "userlist[$i] = '".addslashes($r['username'])."'; "; + $i++; + } + $db->free_result(); + + // all done! :-) + $db->close(); + exit; + } + + require('includes/common.php'); + + global $db, $session, $paths, $template, $plugins; // Common objects + if(!isset($_GET['_mode'])) die('This script cannot be accessed directly.'); + + $_ob = ''; + + switch($_GET['_mode']) { + case "checkusername": + echo PageUtils::checkusername($_GET['name']); + break; + case "getsource": + $p = ( isset($_GET['pagepass']) ) ? $_GET['pagepass'] : false; + echo PageUtils::getsource($paths->page, $p); + break; + case "getpage": + // echo PageUtils::getpage($paths->page, false, ( (isset($_GET['oldid'])) ? $_GET['oldid'] : false )); + $revision_id = ( (isset($_GET['oldid'])) ? intval($_GET['oldid']) : 0 ); + $page = new PageProcessor( $paths->cpage['urlname_nons'], $paths->namespace, $revision_id ); + + $pagepass = ( isset($_REQUEST['pagepass']) ) ? $_REQUEST['pagepass'] : ''; + $page->password = $pagepass; + + $page->send(); + break; + case "savepage": + $summ = ( isset($_POST['summary']) ) ? $_POST['summary'] : ''; + $minor = isset($_POST['minor']); + $e = PageUtils::savepage($paths->cpage['urlname_nons'], $paths->namespace, $_POST['text'], $summ, $minor); + if($e=='good') + { + $page = new PageProcessor($paths->cpage['urlname_nons'], $paths->namespace); + $page->send(); + } + else + { + echo '

Error saving the page: '.$e.'

'; + } + break; + case "protect": + echo PageUtils::protect($paths->cpage['urlname_nons'], $paths->namespace, (int)$_POST['level'], $_POST['reason']); + break; + case "histlist": + echo PageUtils::histlist($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "rollback": + echo PageUtils::rollback( (int)$_GET['id'] ); + break; + case "comments": + $comments = new Comments($paths->cpage['urlname_nons'], $paths->namespace); + if ( isset($_POST['data']) ) + { + $comments->process_json($_POST['data']); + } + else + { + die('{ "mode" : "error", "error" : "No input" }'); + } + break; + case "rename": + echo PageUtils::rename($paths->cpage['urlname_nons'], $paths->namespace, $_POST['newtitle']); + break; + case "flushlogs": + echo PageUtils::flushlogs($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "deletepage": + $reason = ( isset($_POST['reason']) ) ? $_POST['reason'] : false; + if ( empty($reason) ) + die('Please enter a reason for deleting this page.'); + echo PageUtils::deletepage($paths->cpage['urlname_nons'], $paths->namespace, $reason); + break; + case "delvote": + echo PageUtils::delvote($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "resetdelvotes": + echo PageUtils::resetdelvotes($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "getstyles": + echo PageUtils::getstyles($_GET['id']); + break; + case "catedit": + echo PageUtils::catedit($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "catsave": + echo PageUtils::catsave($paths->cpage['urlname_nons'], $paths->namespace, $_POST); + break; + case "setwikimode": + echo PageUtils::setwikimode($paths->cpage['urlname_nons'], $paths->namespace, (int)$_GET['mode']); + break; + case "setpass": + echo PageUtils::setpass($paths->cpage['urlname_nons'], $paths->namespace, $_POST['password']); + break; + case "fillusername": + break; + case "fillpagename": + $name = (isset($_GET['name'])) ? $_GET['name'] : false; + if(!$name) die('userlist = new Array(); namelist = new Array(); errorstring=\'Invalid URI\''); + $nd = RenderMan::strToPageID($name); + $c = 0; + $u = Array(); + $n = Array(); + + $name = sanitize_page_id($name); + $name = str_replace('_', ' ', $name); + + for($i=0;$ipages)/2;$i++) + { + if( ( + preg_match('#'.preg_quote($name).'(.*)#i', $paths->pages[$i]['name']) || + preg_match('#'.preg_quote($name).'(.*)#i', $paths->pages[$i]['urlname']) || + preg_match('#'.preg_quote($name).'(.*)#i', $paths->pages[$i]['urlname_nons']) || + preg_match('#'.preg_quote(str_replace(' ', '_', $name)).'(.*)#i', $paths->pages[$i]['name']) || + preg_match('#'.preg_quote(str_replace(' ', '_', $name)).'(.*)#i', $paths->pages[$i]['urlname']) || + preg_match('#'.preg_quote(str_replace(' ', '_', $name)).'(.*)#i', $paths->pages[$i]['urlname_nons']) + ) && + ( ( $nd[1] != 'Article' && $paths->pages[$i]['namespace'] == $nd[1] ) || $nd[1] == 'Article' ) + && $paths->pages[$i]['visible'] + ) + { + $c++; + $u[] = $paths->pages[$i]['name']; + $n[] = $paths->pages[$i]['urlname']; + } + } + if($c > 0) + { + echo 'userlist = new Array(); namelist = new Array(); errorstring = false; '."\n"; + for($i=0;$iInvalid request.

'; $template->footer(); break; } + if(!preg_match('#^([0-9]+)$#', (string)$_GET['diff1']) || + !preg_match('#^([0-9]+)$#', (string)$_GET['diff2'] )) { echo '

SQL injection attempt

'; $template->footer(); break; } + echo PageUtils::pagediff($paths->cpage['urlname_nons'], $paths->namespace, $id1, $id2); + break; + case "jsres": + die('// ERROR: this section is deprecated and has moved to includes/clientside/static/enano-lib-basic.js.'); + break; + case "rdns": + if(!$session->get_permissions('mod_misc')) die('Go somewhere else for your reverse DNS info!'); + $ip = $_GET['ip']; + $rdns = gethostbyaddr($ip); + if($rdns == $ip) echo 'Unable to get reverse DNS information. Perhaps the DNS server is down or the PTR record no longer exists.'; + else echo $rdns; + break; + case 'acljson': + $parms = ( isset($_POST['acl_params']) ) ? rawurldecode($_POST['acl_params']) : false; + echo PageUtils::acl_json($parms); + break; + case "change_theme": + if ( !isset($_POST['theme_id']) || !isset($_POST['style_id']) ) + { + die('Invalid input'); + } + if ( !preg_match('/^([a-z0-9_-]+)$/i', $_POST['theme_id']) || !preg_match('/^([a-z0-9_-]+)$/i', $_POST['style_id']) ) + { + die('Invalid input'); + } + if ( !file_exists(ENANO_ROOT . '/themes/' . $_POST['theme_id'] . '/css/' . $_POST['style_id'] . '.css') ) + { + die('Can\'t find theme file: ' . ENANO_ROOT . '/themes/' . $_POST['theme_id'] . '/css/' . $_POST['style_id'] . '.css'); + } + if ( !$session->user_logged_in ) + { + die('You must be logged in to change your theme'); + } + // Just in case something slipped through... + $theme_id = $db->escape($_POST['theme_id']); + $style_id = $db->escape($_POST['style_id']); + $e = $db->sql_query('UPDATE ' . table_prefix . "users SET theme='$theme_id', style='$style_id' WHERE user_id=$session->user_id;"); + if ( !$e ) + die( $db->get_error() ); + die('GOOD'); + break; + case 'get_tags': + $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); + + $ret = array('tags' => array(), 'user_level' => $session->user_level, 'can_add' => $session->get_permissions('tag_create')); + $q = $db->sql_query('SELECT t.tag_id, t.tag_name, pg.pg_target IS NOT NULL AS used_in_acl, t.user FROM '.table_prefix.'tags AS t + LEFT JOIN '.table_prefix.'page_groups AS pg + ON ( ( pg.pg_type = ' . PAGE_GRP_TAGGED . ' AND pg.pg_target=t.tag_name ) OR ( pg.pg_type IS NULL AND pg.pg_target IS NULL ) ) + WHERE t.page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND t.namespace=\'' . $db->escape($paths->namespace) . '\';'); + if ( !$q ) + $db->_die(); + + while ( $row = $db->fetchrow() ) + { + $can_del = true; + + $perm = ( $row['user'] != $session->user_id ) ? + 'tag_delete_other' : + 'tag_delete_own'; + + if ( $row['user'] == 1 && !$session->user_logged_in ) + // anonymous user trying to delete tag (hardcode blacklisted) + $can_del = false; + + if ( !$session->get_permissions($perm) ) + $can_del = false; + + if ( $row['used_in_acl'] == 1 && !$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN ) + $can_del = false; + + $ret['tags'][] = array( + 'id' => $row['tag_id'], + 'name' => $row['tag_name'], + 'can_del' => $can_del, + 'acl' => ( $row['used_in_acl'] == 1 ) + ); + } + + echo $json->encode($ret); + + break; + case 'addtag': + $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); + $resp = array( + 'success' => false, + 'error' => 'No error', + 'can_del' => ( $session->get_permissions('tag_delete_own') && $session->user_logged_in ), + 'in_acl' => false + ); + + // first of course, are we allowed to tag pages? + if ( !$session->get_permissions('tag_create') ) + { + $resp['error'] = 'You are not permitted to tag pages.'; + die($json->encode($resp)); + } + + // sanitize the tag name + $tag = sanitize_tag($_POST['tag']); + $tag = $db->escape($tag); + + if ( strlen($tag) < 2 ) + { + $resp['error'] = 'Tags must consist of at least 2 alphanumeric characters.'; + die($json->encode($resp)); + } + + // check if tag is already on page + $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'tags WHERE page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND namespace=\'' . $db->escape($paths->namespace) . '\' AND tag_name=\'' . $tag . '\';'); + if ( !$q ) + $db->_die(); + if ( $db->numrows() > 0 ) + { + $resp['error'] = 'This page already has this tag.'; + die($json->encode($resp)); + } + $db->free_result(); + + // tricky: make sure this tag isn't being used in some page group, and thus adding it could affect page access + $can_edit_acl = ( $session->get_permissions('edit_acl') || $session->user_level >= USER_LEVEL_ADMIN ); + $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'page_groups WHERE pg_type=' . PAGE_GRP_TAGGED . ' AND pg_target=\'' . $tag . '\';'); + if ( !$q ) + $db->_die(); + if ( $db->numrows() > 0 && !$can_edit_acl ) + { + $resp['error'] = 'This tag is used in an ACL page group, and thus can\'t be added to a page by people without administrator privileges.'; + die($json->encode($resp)); + } + $resp['in_acl'] = ( $db->numrows() > 0 ); + $db->free_result(); + + // we're good + $q = $db->sql_query('INSERT INTO '.table_prefix.'tags(tag_name,page_id,namespace,user) VALUES(\'' . $tag . '\', \'' . $db->escape($paths->cpage['urlname_nons']) . '\', \'' . $db->escape($paths->namespace) . '\', ' . $session->user_id . ');'); + if ( !$q ) + $db->_die(); + + $resp['success'] = true; + $resp['tag'] = $tag; + $resp['tag_id'] = $db->insert_id(); + + echo $json->encode($resp); + break; + case 'deltag': + + $tag_id = intval($_POST['tag_id']); + if ( empty($tag_id) ) + die('Invalid tag ID'); + + $q = $db->sql_query('SELECT t.tag_id, t.user, t.page_id, t.namespace, pg.pg_target IS NOT NULL AS used_in_acl FROM '.table_prefix.'tags AS t + LEFT JOIN '.table_prefix.'page_groups AS pg + ON ( pg.pg_id IS NULL OR ( pg.pg_target = t.tag_name AND pg.pg_type = ' . PAGE_GRP_TAGGED . ' ) ) + WHERE t.tag_id=' . $tag_id . ';'); + + if ( !$q ) + $db->_die(); + + if ( $db->numrows() < 1 ) + die('Could not find a tag with that ID'); + + $row = $db->fetchrow(); + $db->free_result(); + + if ( $row['page_id'] == $paths->cpage['urlname_nons'] && $row['namespace'] == $paths->namespace ) + $perms =& $session; + else + $perms = $session->fetch_page_acl($row['page_id'], $row['namespace']); + + $perm = ( $row['user'] != $session->user_id ) ? + 'tag_delete_other' : + 'tag_delete_own'; + + if ( $row['user'] == 1 && !$session->user_logged_in ) + // anonymous user trying to delete tag (hardcode blacklisted) + die('You are not authorized to delete this tag.'); + + if ( !$perms->get_permissions($perm) ) + die('You are not authorized to delete this tag.'); + + if ( $row['used_in_acl'] == 1 && !$perms->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN ) + die('You are not authorized to delete this tag.'); + + // We're good + $q = $db->sql_query('DELETE FROM '.table_prefix.'tags WHERE tag_id = ' . $tag_id . ';'); + if ( !$q ) + $db->_die(); + + echo 'success'; + + break; + case 'ping': + echo 'pong'; + break; + default: + die('Hacking attempt'); + break; + } + ?> \ No newline at end of file diff -r ebe99e82a59a -r 473cc747022a includes/clientside/sbedit.js --- a/includes/clientside/sbedit.js Sat Oct 20 21:44:13 2007 -0400 +++ b/includes/clientside/sbedit.js Fri Oct 26 19:28:54 2007 -0400 @@ -164,7 +164,7 @@ var id = input.sbedit_id; var parent = input.parentNode; parent.removeChild(input); - parent.appendChild(document.createTextNode(newname)); + parent.appendChild(document.createTextNode(( newname == '' ? '' : newname ))); parent.ondblclick = function() { ajaxRenameSidebarStage1(this, this._idcache); return false; }; var img = document.createElement('img'); img.src = scriptPath + '/images/loading.gif'; diff -r ebe99e82a59a -r 473cc747022a includes/clientside/static/enano-lib-basic.js --- a/includes/clientside/static/enano-lib-basic.js Sat Oct 20 21:44:13 2007 -0400 +++ b/includes/clientside/static/enano-lib-basic.js Fri Oct 26 19:28:54 2007 -0400 @@ -112,6 +112,7 @@ var startwidth = false; var startheight = false; var do_width = false; +var ajax_load_icon = scriptPath + '/images/loading.gif'; // You have an NSIS coder in your midst... var MB_OK = 1; diff -r ebe99e82a59a -r 473cc747022a includes/clientside/static/misc.js --- a/includes/clientside/static/misc.js Sat Oct 20 21:44:13 2007 -0400 +++ b/includes/clientside/static/misc.js Fri Oct 26 19:28:54 2007 -0400 @@ -196,7 +196,7 @@ { if ( document.getElementById('ajaxloadicon') ) { - document.getElementById('ajaxloadicon').src=scriptPath + '/images/loading.gif'; + document.getElementById('ajaxloadicon').src=ajax_load_icon; } } diff -r ebe99e82a59a -r 473cc747022a includes/pageutils.php --- a/includes/pageutils.php Sat Oct 20 21:44:13 2007 -0400 +++ b/includes/pageutils.php Fri Oct 26 19:28:54 2007 -0400 @@ -16,18 +16,27 @@ class PageUtils { /** - * List possible username completions + * Tell if a username is used or not. * @param $name the name to check for - * @return array + * @return string */ function checkusername($name) { global $db, $session, $paths, $template, $plugins; // Common objects - $q = $db->sql_query('SELECT username FROM '.table_prefix.'users WHERE username=\''.$db->escape(rawurldecode($name)).'\''); - if(!$q) die(mysql_error()); - if($db->numrows() < 1) { $db->free_result(); return('good'); } - else { $db->free_result(); return('bad'); } + $q = $db->sql_query('SELECT username FROM ' . table_prefix.'users WHERE username=\'' . $db->escape(rawurldecode($name)) . '\''); + if ( !$q ) + { + die(mysql_error()); + } + if ( $db->numrows() < 1) + { + $db->free_result(); return('good'); + } + else + { + $db->free_result(); return('bad'); + } } /** @@ -58,10 +67,10 @@ $pid = RenderMan::strToPageID($page); if($pid[1] == 'Special' || $pid[1] == 'Admin') { - die('This type of page ('.$paths->nslist[$pid[1]].') cannot be edited because the page source code is not stored in the database.'); + die('This type of page (' . $paths->nslist[$pid[1]] . ') cannot be edited because the page source code is not stored in the database.'); } - $e = $db->sql_query('SELECT page_text,char_tag FROM '.table_prefix.'page_text WHERE page_id=\''.$pid[0].'\' AND namespace=\''.$pid[1].'\''); + $e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'page_text WHERE page_id=\'' . $pid[0] . '\' AND namespace=\'' . $pid[1] . '\''); if ( !$e ) { $db->_die('The page text could not be selected.'); @@ -124,7 +133,7 @@ return $r; } - $fname = 'page_'.$pid[1].'_'.$paths->pages[$page]['urlname_nons']; + $fname = 'page_' . $pid[1] . '_' . $paths->pages[$page]['urlname_nons']; @call_user_func($fname); } @@ -148,7 +157,7 @@ return $r; } - $fname = 'page_'.$pid[1].'_'.$pid[0]; + $fname = 'page_' . $pid[1] . '_' . $pid[0]; if ( !function_exists($fname) ) { $title = 'Page backend not found'; @@ -191,12 +200,17 @@

You have requested a page that doesn\'t exist yet.'; if($session->get_permissions('create_page')) echo ' You can create this page, or return to the homepage.'; else echo ' Return to the homepage.

'; - if($session->get_permissions('history_rollback')) { - $e = $db->sql_query('SELECT * FROM '.table_prefix.'logs WHERE action=\'delete\' AND page_id=\''.$paths->cpage['urlname_nons'].'\' AND namespace=\''.$pid[1].'\' ORDER BY time_id DESC;'); - if(!$e) $db->_die('The deletion log could not be selected.'); - if($db->numrows() > 0) { + if ( $session->get_permissions('history_rollback') ) + { + $e = $db->sql_query('SELECT * FROM ' . table_prefix.'logs WHERE action=\'delete\' AND page_id=\'' . $paths->cpage['urlname_nons'] . '\' AND namespace=\'' . $pid[1] . '\' ORDER BY time_id DESC;'); + if ( !$e ) + { + $db->_die('The deletion log could not be selected.'); + } + if ($db->numrows() > 0 ) + { $r = $db->fetchrow(); - echo '

This page also appears to have some log entries in the database - it seems that it was deleted on '.$r['date_string'].'. You can probably roll back the deletion.

'; + echo '

This page also appears to have some log entries in the database - it seems that it was deleted on ' . $r['date_string'] . '. You can probably roll back the deletion.

'; } $db->free_result(); } @@ -234,15 +248,16 @@ return $text; } - if($hist_id) { - $e = $db->sql_query('SELECT page_text,date_string,char_tag FROM '.table_prefix.'logs WHERE page_id=\''.$paths->pages[$page]['urlname_nons'].'\' AND namespace=\''.$pid[1].'\' AND log_type=\'page\' AND action=\'edit\' AND time_id='.$db->escape($hist_id).''); + if ( $hist_id ) + { + $e = $db->sql_query('SELECT page_text,date_string,char_tag FROM ' . table_prefix.'logs WHERE page_id=\'' . $paths->pages[$page]['urlname_nons'] . '\' AND namespace=\'' . $pid[1] . '\' AND log_type=\'page\' AND action=\'edit\' AND time_id=' . $db->escape($hist_id) . ''); if($db->numrows() < 1) { $db->_die('There were no rows in the text table that matched the page text query.'); } $r = $db->fetchrow(); $db->free_result(); - $message = '
Notice:
The page you are viewing was archived on '.$r['date_string'].'.
View current version | Restore this version

'.RenderMan::render($r['page_text']); + $message = '
Notice:
The page you are viewing was archived on ' . $r['date_string'] . '.
View current version | Restore this version

'.RenderMan::render($r['page_text']); if( !$paths->pages[$page]['special'] ) { @@ -253,7 +268,7 @@ display_page_headers(); } - eval('?>'.$message); + eval('?>' . $message); if( !$paths->pages[$page]['special'] ) { @@ -287,7 +302,7 @@ // This is it, this is what all of Enano has been working up to... - eval('?>'.$message); + eval('?>' . $message); if( !$paths->pages[$page]['special'] ) { @@ -323,8 +338,9 @@ if(!isset($paths->pages[$pname])) { - if(!PageUtils::createPage($page_id, $namespace)) - return 'The page did not exist, and I was not able to create it. Permissions problem?'; + $create = PageUtils::createPage($page_id, $namespace); + if ( $create != 'good' ) + return 'The page did not exist, and I was not able to create it. The reported error was: ' . $create; $paths->page_exists = true; } @@ -338,10 +354,10 @@ $msg = $db->escape($message); $minor = $minor ? 'true' : 'false'; - $q='INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.date('d M Y h:i a').'\', \''.$paths->cpage['urlname_nons'].'\', \''.$paths->namespace.'\', \''.$msg.'\', \''.$uid.'\', \''.$session->username.'\', \''.$db->escape(htmlspecialchars($summary)).'\', '.$minor.');'; + $q='INSERT INTO ' . table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.date('d M Y h:i a').'\', \'' . $paths->cpage['urlname_nons'] . '\', \'' . $paths->namespace . '\', \'' . $msg . '\', \'' . $uid . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($summary)) . '\', ' . $minor . ');'; if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.'); - $q = 'UPDATE '.table_prefix.'page_text SET page_text=\''.$msg.'\',char_tag=\''.$uid.'\' WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'; + $q = 'UPDATE ' . table_prefix.'page_text SET page_text=\'' . $msg . '\',char_tag=\'' . $uid . '\' WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'; $e = $db->sql_query($q); if(!$e) $db->_die('Enano was unable to save the page contents. Your changes have been lost :\'(.'); @@ -363,32 +379,38 @@ if(in_array($namespace, Array('Special', 'Admin'))) { // echo 'Notice: PageUtils::createPage: You can\'t create a special page in the database
'; - return false; // Can't create a special page + return 'You can\'t create a special page in the database'; } if(!isset($paths->nslist[$namespace])) { // echo 'Notice: PageUtils::createPage: Couldn\'t look up the namespace
'; - return false; // Couldn't look up namespace + return 'Couldn\'t look up the namespace'; } $pname = $paths->nslist[$namespace] . $page_id; if(isset($paths->pages[$pname])) { // echo 'Notice: PageUtils::createPage: Page already exists
'; - return false; // Page already exists + return 'Page already exists'; } if(!$session->get_permissions('create_page')) { // echo 'Notice: PageUtils::createPage: Not authorized to create pages
'; - return false; // Access denied + return 'Not authorized to create pages'; } if($session->user_level < USER_LEVEL_ADMIN && $namespace == 'System') { // echo 'Notice: PageUtils::createPage: Not authorized to create system messages
'; - return false; // Not authorized to create system messages + return 'Not authorized to create system messages'; + } + + if ( substr($page_id, 0, 8) == 'Project:' ) + { + // echo 'Notice: PageUtils::createPage: Prefix "Project:" is reserved
'; + return 'The prefix "Project:" is reserved for a parser shortcut; if a page was created using this prefix, it would not be possible to link to it.'; } $page_id = dirtify_page_id($page_id); @@ -399,7 +421,7 @@ if(!preg_match($regex, $page)) { //echo 'Notice: PageUtils::createPage: Name contains invalid characters
'; - return false; // Name contains invalid characters + return 'Name contains invalid characters'; } $page_id = sanitize_page_id( $page_id ); @@ -422,16 +444,15 @@ $paths->add_page($page_data); - $qa = $db->sql_query('INSERT INTO '.table_prefix.'pages(name,urlname,namespace,visible,protected,delvote_ips) VALUES(\''.$db->escape($name).'\', \''.$db->escape($page_id).'\', \''.$namespace.'\', '. ( $visible ? '1' : '0' ) .', '.$prot.', \'' . $db->escape(serialize($ips)) . '\');'); - $qb = $db->sql_query('INSERT INTO '.table_prefix.'page_text(page_id,namespace) VALUES(\''.$db->escape($page_id).'\', \''.$namespace.'\');'); - $qc = $db->sql_query('INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'create\', \''.$session->username.'\', \''.$db->escape($page_id).'\', \''.$namespace.'\');'); + $qa = $db->sql_query('INSERT INTO ' . table_prefix.'pages(name,urlname,namespace,visible,protected,delvote_ips) VALUES(\'' . $db->escape($name) . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\', '. ( $visible ? '1' : '0' ) .', ' . $prot . ', \'' . $db->escape(serialize($ips)) . '\');'); + $qb = $db->sql_query('INSERT INTO ' . table_prefix.'page_text(page_id,namespace) VALUES(\'' . $db->escape($page_id) . '\', \'' . $namespace . '\');'); + $qc = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'create\', \'' . $session->username . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\');'); if($qa && $qb && $qc) - return true; + return 'good'; else { - echo $db->get_error(); - return false; + return $db->get_error(); } } @@ -451,31 +472,41 @@ $wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false; $prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false; - if(!$session->get_permissions('protect')) return('Insufficient access rights'); - if(!$wiki) return('Page protection only has an effect when Wiki Mode is enabled.'); - if(!preg_match('#^([0-9]+){1}$#', (string)$level)) return('Invalid $level parameter.'); - - if($reason!='NO_REASON') { - switch($level) - { - case 0: - $q = 'INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'unprot\', \''.$session->username.'\', \''.$page_id.'\', \''.$namespace.'\', \''.$db->escape(htmlspecialchars($reason)).'\');'; - break; - case 1: - $q = 'INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'prot\', \''.$session->username.'\', \''.$page_id.'\', \''.$namespace.'\', \''.$db->escape(htmlspecialchars($reason)).'\');'; - break; - case 2: - $q = 'INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'semiprot\', \''.$session->username.'\', \''.$page_id.'\', \''.$namespace.'\', \''.$db->escape(htmlspecialchars($reason)).'\');'; - break; - default: - return 'PageUtils::protect(): Invalid value for $level'; - break; - } - if(!$db->sql_query($q)) $db->_die('The log entry for the page protection could not be inserted.'); + if ( !$session->get_permissions('protect') ) + { + return('Insufficient access rights'); + } + if ( !$wiki ) + { + return('Page protection only has an effect when Wiki Mode is enabled.'); + } + if ( !preg_match('#^([0-9]+){1}$#', (string)$level) ) + { + return('Invalid $level parameter.'); } - $q = $db->sql_query('UPDATE '.table_prefix.'pages SET protected='.$_POST['level'].' WHERE urlname=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); - if(!$q) $db->_die('The pages table was not updated.'); + switch($level) + { + case 0: + $q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'unprot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');'; + break; + case 1: + $q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'prot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');'; + break; + case 2: + $q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'semiprot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');'; + break; + default: + return 'PageUtils::protect(): Invalid value for $level'; + break; + } + if(!$db->sql_query($q)) $db->_die('The log entry for the page protection could not be inserted.'); + + $q = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=' . $level . ' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); + if ( !$q ) + { + $db->_die('The pages table was not updated.'); + } return('good'); } @@ -500,8 +531,8 @@ $wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false; $prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false; - $q = 'SELECT time_id,date_string,page_id,namespace,author,edit_summary,minor_edit FROM '.table_prefix.'logs WHERE log_type=\'page\' AND action=\'edit\' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' ORDER BY time_id DESC;'; - if(!$db->sql_query($q)) $db->_die('The history data for the page "'.$paths->cpage['name'].'" could not be selected.'); + $q = 'SELECT time_id,date_string,page_id,namespace,author,edit_summary,minor_edit FROM ' . table_prefix.'logs WHERE log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' ORDER BY time_id DESC;'; + if(!$db->sql_query($q)) $db->_die('The history data for the page "' . $paths->cpage['name'] . '" could not be selected.'); echo 'History of edits and actions

Edits:

'; $numrows = $db->numrows(); if($numrows < 1) echo 'No history entries in this category.'; @@ -552,29 +583,38 @@ $s1 = ''; $s2 = ''; } - if($ticker > 1) echo ''."\n"; else echo ''; - if($ticker < $numrows) echo ''."\n"; else echo ''; + if($ticker > 1) echo ''."\n"; else echo ''; + if($ticker < $numrows) echo ''."\n"; else echo ''; // Date and time - echo ''.$r['date_string'].''."\n"; + echo '' . $r['date_string'] . ''."\n"; // User - if($session->get_permissions('mod_misc') && preg_match('#^([0-9]*){1,3}\.([0-9]*){1,3}\.([0-9]*){1,3}\.([0-9]*){1,3}$#', $r['author'])) $rc = ' style="cursor: pointer;" title="Click cell background for reverse DNS info" onclick="ajaxReverseDNS(this, \''.$r['author'].'\');"'; - else $rc = ''; - echo 'nslist['User'] . $r['author'])) echo 'class="wikilink-nonexistent"'; - echo '>'.$r['author'].''."\n"; + if ( $session->get_permissions('mod_misc') && is_valid_ip($r['author']) ) + { + $rc = ' style="cursor: pointer;" title="Click cell background for reverse DNS info" onclick="ajaxReverseDNS(this, \'' . $r['author'] . '\');"'; + } + else + { + $rc = ''; + } + echo 'nslist['User'] . $r['author']) ) + { + echo 'class="wikilink-nonexistent"'; + } + echo '>' . $r['author'] . ''."\n"; // Edit summary - echo ''.$r['edit_summary'].''."\n"; + echo '' . $r['edit_summary'] . ''."\n"; // Minor edit - echo ''. (( $r['minor_edit'] ) ? 'M' : '' ) .''."\n"; + echo ''. (( $r['minor_edit'] ) ? 'M' : '' ) .''."\n"; // Actions! - echo 'View revision'."\n"; - echo 'View user contribs'."\n"; - echo 'Revert to this revision'."\n"; + echo 'View revision'."\n"; + echo 'View user contribs'."\n"; + echo 'Revert to this revision'."\n"; echo ''."\n"."\n"; @@ -589,8 +629,8 @@ } $db->free_result(); echo '

Other changes:

'; - $q = 'SELECT time_id,action,date_string,page_id,namespace,author,edit_summary,minor_edit FROM '.table_prefix.'logs WHERE log_type=\'page\' AND action!=\'edit\' AND page_id=\''.$paths->cpage['urlname_nons'].'\' AND namespace=\''.$paths->namespace.'\' ORDER BY time_id DESC;'; - if(!$db->sql_query($q)) $db->_die('The history data for the page "'.$paths->cpage['name'].'" could not be selected.'); + $q = 'SELECT time_id,action,date_string,page_id,namespace,author,edit_summary,minor_edit FROM ' . table_prefix.'logs WHERE log_type=\'page\' AND action!=\'edit\' AND page_id=\'' . $paths->cpage['urlname_nons'] . '\' AND namespace=\'' . $paths->namespace . '\' ORDER BY time_id DESC;'; + if(!$db->sql_query($q)) $db->_die('The history data for the page "' . $paths->cpage['name'] . '" could not be selected.'); if($db->numrows() < 1) echo 'No history entries in this category.'; else { @@ -604,34 +644,34 @@ echo ''; // Date and time - echo ''.$r['date_string'].''; + echo '' . $r['date_string'] . ''; // User - echo 'nslist['User'] . $r['author'])) echo 'class="wikilink-nonexistent"'; - echo '>'.$r['author'].''; + echo '>' . $r['author'] . ''; // Minor edit - echo ''. (( $r['minor_edit'] ) ? 'M' : '' ) .''; + echo ''. (( $r['minor_edit'] ) ? 'M' : '' ) .''; // Action taken - echo ''; + echo ''; // Some of these are sanitized at insert-time. Others follow the newer Enano policy of stripping HTML at runtime. - if ($r['action']=='prot') echo 'Protected pageReason: '.$r['edit_summary']; - elseif($r['action']=='unprot') echo 'Unprotected pageReason: '.$r['edit_summary']; - elseif($r['action']=='semiprot') echo 'Semi-protected pageReason: '.$r['edit_summary']; - elseif($r['action']=='rename') echo 'Renamed pageOld title: '.htmlspecialchars($r['edit_summary']); - elseif($r['action']=='create') echo 'Created page'; - elseif($r['action']=='delete') echo 'Deleted pageReason: '.$r['edit_summary']; - elseif($r['action']=='reupload') echo 'Uploaded new file versionReason: '.htmlspecialchars($r['edit_summary']); + if ($r['action']=='prot') echo 'Protected pageReason: ' . $r['edit_summary']; + elseif($r['action']=='unprot') echo 'Unprotected pageReason: ' . $r['edit_summary']; + elseif($r['action']=='semiprot') echo 'Semi-protected pageReason: ' . $r['edit_summary']; + elseif($r['action']=='rename') echo 'Renamed pageOld title: '.htmlspecialchars($r['edit_summary']); + elseif($r['action']=='create') echo 'Created page'; + elseif($r['action']=='delete') echo 'Deleted pageReason: ' . $r['edit_summary']; + elseif($r['action']=='reupload') echo 'Uploaded new file versionReason: '.htmlspecialchars($r['edit_summary']); echo ''; // Actions! - echo 'View user contribs'; - echo 'Revert action'; + echo 'View user contribs'; + echo 'Revert action'; - //echo '(rollback) '.$r['date_string'].' '.$r['author'].' (Userpage, Contrib): '; + //echo '(rollback) ' . $r['date_string'] . ' ' . $r['author'] . ' (Userpage, Contrib): '; if($r['minor_edit']) echo ' - minor edit'; echo '
'; @@ -663,7 +703,7 @@ { return('The value "id" on the query string must be an integer.'); } - $e = $db->sql_query('SELECT log_type,action,date_string,page_id,namespace,page_text,char_tag,author,edit_summary FROM '.table_prefix.'logs WHERE time_id='.$id.';'); + $e = $db->sql_query('SELECT log_type,action,date_string,page_id,namespace,page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id . ';'); if ( !$e ) { $db->_die('The rollback data could not be selected.'); @@ -719,56 +759,56 @@ if ( !$perms->get_permissions('edit_page') ) return "You don't have permission to edit pages, so rolling back edits can't be allowed either."; $t = $db->escape($rb['page_text']); - $e = $db->sql_query('UPDATE '.table_prefix.'page_text SET page_text=\''.$t.'\',char_tag=\''.$rb['char_tag'].'\' WHERE page_id=\''.$rb['page_id'].'\' AND namespace=\''.$rb['namespace'].'\''); + $e = $db->sql_query('UPDATE ' . table_prefix.'page_text SET page_text=\'' . $t . '\',char_tag=\'' . $rb['char_tag'] . '\' WHERE page_id=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); if ( !$e ) { return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); } else { - return 'The page "'.$paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been rolled back to the state it was in on '.$rb['date_string'].'.'; + return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been rolled back to the state it was in on ' . $rb['date_string'] . '.'; } break; case "rename": if ( !$perms->get_permissions('rename') ) return "You don't have permission to rename pages, so rolling back renames can't be allowed either."; $t = $db->escape($rb['edit_summary']); - $e = $db->sql_query('UPDATE '.table_prefix.'pages SET name=\''.$t.'\' WHERE urlname=\''.$rb['page_id'].'\' AND namespace=\''.$rb['namespace'].'\''); + $e = $db->sql_query('UPDATE ' . table_prefix.'pages SET name=\'' . $t . '\' WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); if ( !$e ) { return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace(); } else { - return 'The page "'.$paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been rolled back to the name it had ("'.$rb['edit_summary'].'") before '.$rb['date_string'].'.'; + return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been rolled back to the name it had ("' . $rb['edit_summary'] . '") before ' . $rb['date_string'] . '.'; } break; case "prot": if ( !$perms->get_permissions('protect') ) return "You don't have permission to protect pages, so rolling back protection can't be allowed either."; - $e = $db->sql_query('UPDATE '.table_prefix.'pages SET protected=0 WHERE urlname=\''.$rb['page_id'].'\' AND namespace=\''.$rb['namespace'].'\''); + $e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=0 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); if ( !$e ) return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace(); else - return 'The page "'.$paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at '.$rb['date_string'].'.'; + return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at ' . $rb['date_string'] . '.'; break; case "semiprot": if ( !$perms->get_permissions('protect') ) return "You don't have permission to protect pages, so rolling back protection can't be allowed either."; - $e = $db->sql_query('UPDATE '.table_prefix.'pages SET protected=0 WHERE urlname=\''.$rb['page_id'].'\' AND namespace=\''.$rb['namespace'].'\''); + $e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=0 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); if ( !$e ) return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace(); else - return 'The page "'.$paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at '.$rb['date_string'].'.'; + return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at ' . $rb['date_string'] . '.'; break; case "unprot": if ( !$perms->get_permissions('protect') ) return "You don't have permission to protect pages, so rolling back protection can't be allowed either."; - $e = $db->sql_query('UPDATE '.table_prefix.'pages SET protected=1 WHERE urlname=\''.$rb['page_id'].'\' AND namespace=\''.$rb['namespace'].'\''); + $e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=1 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); if ( !$e ) return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace(); else - return 'The page "'.$paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been protected according to the log created at '.$rb['date_string'].'.'; + return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been protected according to the log created at ' . $rb['date_string'] . '.'; break; case "delete": if ( !$perms->get_permissions('history_rollback_extra') ) @@ -776,11 +816,11 @@ if ( isset($paths->pages[$paths->cpage['urlname']]) ) return 'You cannot raise a dead page that is alive.'; $name = str_replace('_', ' ', $rb['page_id']); - $e = $db->sql_query('INSERT INTO '.table_prefix.'pages(name,urlname,namespace) VALUES( \''.$name.'\', \''.$rb['page_id'].'\',\''.$rb['namespace'].'\' )');if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); - $e = $db->sql_query('SELECT page_text,char_tag FROM '.table_prefix.'logs WHERE page_id=\''.$rb['page_id'].'\' AND namespace=\''.$rb['namespace'].'\' AND log_type=\'page\' AND action=\'edit\' ORDER BY time_id DESC;'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); + $e = $db->sql_query('INSERT INTO ' . table_prefix.'pages(name,urlname,namespace) VALUES( \'' . $name . '\', \'' . $rb['page_id'] . '\',\'' . $rb['namespace'] . '\' )');if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); + $e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'logs WHERE page_id=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\' AND log_type=\'page\' AND action=\'edit\' ORDER BY time_id DESC;'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); $r = $db->fetchrow(); - $e = $db->sql_query('INSERT INTO '.table_prefix.'page_text(page_id,namespace,page_text,char_tag) VALUES(\''.$rb['page_id'].'\',\''.$rb['namespace'].'\',\''.$db->escape($r['page_text']).'\',\''.$r['char_tag'].'\')'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); - return 'The page "'.$name.'" has been undeleted according to the log created at '.$rb['date_string'].'.'; + $e = $db->sql_query('INSERT INTO ' . table_prefix.'page_text(page_id,namespace,page_text,char_tag) VALUES(\'' . $rb['page_id'] . '\',\'' . $rb['namespace'] . '\',\'' . $db->escape($r['page_text']) . '\',\'' . $r['char_tag'] . '\')'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); + return 'The page "' . $name . '" has been undeleted according to the log created at ' . $rb['date_string'] . '.'; break; case "reupload": if ( !$session->get_permissions('history_rollbacks_extra') ) @@ -789,23 +829,23 @@ } $newtime = time(); $newdate = date('d M Y h:i a'); - if(!$db->sql_query('UPDATE '.table_prefix.'logs SET time_id='.$newtime.',date_string=\''.$newdate.'\' WHERE time_id='.$id)) + if(!$db->sql_query('UPDATE ' . table_prefix.'logs SET time_id=' . $newtime . ',date_string=\'' . $newdate . '\' WHERE time_id=' . $id)) return 'Error during query: '.mysql_error(); - if(!$db->sql_query('UPDATE '.table_prefix.'files SET time_id='.$newtime.' WHERE time_id='.$id)) + if(!$db->sql_query('UPDATE ' . table_prefix.'files SET time_id=' . $newtime . ' WHERE time_id=' . $id)) return 'Error during query: '.mysql_error(); return 'The file has been rolled back to the version uploaded on '.date('d M Y h:i a', (int)$id).'.'; break; default: - return('Rollback of the action "'.$rb['action'].'" is not yet supported.'); + return('Rollback of the action "' . $rb['action'] . '" is not yet supported.'); break; } break; case "security": case "login": - return('A '.$rb['log_type'].'-related log entry cannot be rolled back.'); + return('A ' . $rb['log_type'] . '-related log entry cannot be rolled back.'); break; default: - return('Unknown log entry type: "'.$rb['log_type'].'"'); + return('Unknown log entry type: "' . $rb['log_type'] . '"'); } } @@ -836,9 +876,9 @@ $name = $session->user_logged_in ? RenderMan::preprocess_text($session->username) : RenderMan::preprocess_text($name); $subj = RenderMan::preprocess_text($subject); if(getConfig('approve_comments')=='1') $appr = '0'; else $appr = '1'; - $q = 'INSERT INTO '.table_prefix.'comments(page_id,namespace,subject,comment_data,name,user_id,approved,time) VALUES(\''.$page_id.'\',\''.$namespace.'\',\''.$subj.'\',\''.$text.'\',\''.$name.'\','.$session->user_id.','.$appr.','.time().')'; + $q = 'INSERT INTO ' . table_prefix.'comments(page_id,namespace,subject,comment_data,name,user_id,approved,time) VALUES(\'' . $page_id . '\',\'' . $namespace . '\',\'' . $subj . '\',\'' . $text . '\',\'' . $name . '\',' . $session->user_id . ',' . $appr . ','.time().')'; $e = $db->sql_query($q); - if(!$e) die('alert(unescape(\''.rawurlencode('Error inserting comment data: '.mysql_error().'\n\nQuery:\n'.$q).'\'))'); + if(!$e) die('alert(unescape(\''.rawurlencode('Error inserting comment data: '.mysql_error().'\n\nQuery:\n' . $q) . '\'))'); else $_ob .= '
Your comment has been posted.
'; return PageUtils::comments($page_id, $namespace, false, Array(), $_ob); } @@ -868,15 +908,15 @@ case "delete": if(isset($flags['id'])) { - $q = 'DELETE FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND comment_id='.intval($flags['id']).' LIMIT 1;'; + $q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND comment_id='.intval($flags['id']).' LIMIT 1;'; } else { $n = $db->escape($flags['name']); $s = $db->escape($flags['subj']); $t = $db->escape($flags['text']); - $q = 'DELETE FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND name=\''.$n.'\' AND subject=\''.$s.'\' AND comment_data=\''.$t.'\' LIMIT 1;'; + $q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\' LIMIT 1;'; } $e=$db->sql_query($q); - if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n'.$q).'\'));'); + if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));'); break; case "approve": if(isset($flags['id'])) @@ -886,20 +926,20 @@ $n = $db->escape($flags['name']); $s = $db->escape($flags['subj']); $t = $db->escape($flags['text']); - $where = 'name=\''.$n.'\' AND subject=\''.$s.'\' AND comment_data=\''.$t.'\''; + $where = 'name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\''; } - $q = 'SELECT approved FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND '.$where.' LIMIT 1;'; + $q = 'SELECT approved FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND ' . $where . ' LIMIT 1;'; $e = $db->sql_query($q); - if(!$e) die('alert(unesape(\''.rawurlencode('Error selecting approval status: '.mysql_error().'\n\nQuery:\n'.$q).'\'));'); + if(!$e) die('alert(unesape(\''.rawurlencode('Error selecting approval status: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));'); $r = $db->fetchrow(); $db->free_result(); $a = ( $r['approved'] ) ? '0' : '1'; - $q = 'UPDATE '.table_prefix.'comments SET approved='.$a.' WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND '.$where.';'; + $q = 'UPDATE ' . table_prefix.'comments SET approved=' . $a . ' WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND ' . $where . ';'; $e=$db->sql_query($q); - if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n'.$q).'\'));'); + if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));'); if($a=='1') $v = 'Unapprove'; else $v = 'Approve'; - echo 'document.getElementById("mdgApproveLink'.$_GET['id'].'").innerHTML="'.$v.'";'; + echo 'document.getElementById("mdgApproveLink'.intval($_GET['id']).'").innerHTML="' . $v . '";'; break; } } @@ -911,31 +951,31 @@ $tpl = $template->makeParser('comment.tpl'); - $e = $db->sql_query('SELECT * FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND approved=0;'); + $e = $db->sql_query('SELECT * FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND approved=0;'); if(!$e) $db->_die('The comment text data could not be selected.'); $num_unapp = $db->numrows(); $db->free_result(); - $e = $db->sql_query('SELECT * FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND approved=1;'); + $e = $db->sql_query('SELECT * FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND approved=1;'); if(!$e) $db->_die('The comment text data could not be selected.'); $num_app = $db->numrows(); $db->free_result(); $lq = $db->sql_query('SELECT c.comment_id,c.subject,c.name,c.comment_data,c.approved,c.time,c.user_id,u.user_level,u.signature - FROM '.table_prefix.'comments AS c - LEFT JOIN '.table_prefix.'users AS u + FROM ' . table_prefix.'comments AS c + LEFT JOIN ' . table_prefix.'users AS u ON c.user_id=u.user_id - WHERE page_id=\''.$page_id.'\' - AND namespace=\''.$namespace.'\' ORDER BY c.time ASC;'); + WHERE page_id=\'' . $page_id . '\' + AND namespace=\'' . $namespace . '\' ORDER BY c.time ASC;'); if(!$lq) _die('The comment text data could not be selected. '.mysql_error()); $_ob .= '

Article Comments

'; $n = ( $session->get_permissions('mod_comments')) ? $db->numrows() : $num_app; - if($n==1) $s = 'is '.$n.' comment'; else $s = 'are '.$n.' comments'; + if($n==1) $s = 'is ' . $n . ' comment'; else $s = 'are ' . $n . ' comments'; if($n < 1) { $_ob .= '

There are currently no comments on this '.strtolower($namespace).''; if($namespace != 'Article') $_ob .= ' page'; $_ob .= '.

'; - } else $_ob .= '

There '.$s.' on this article.'; - if($session->get_permissions('mod_comments') && $num_unapp > 0) $_ob .= ' '.$num_unapp.' of those are unapproved.'; + } else $_ob .= '

There ' . $s . ' on this article.'; + if($session->get_permissions('mod_comments') && $num_unapp > 0) $_ob .= ' ' . $num_unapp . ' of those are unapproved.'; elseif(!$session->get_permissions('mod_comments') && $num_unapp > 0) { $u = ($num_unapp == 1) ? "is $num_unapp comment" : "are $num_unapp comments"; $_ob .= ' However, there ' . $u . ' awating approval.'; } $_ob .= '

'; $list = 'list = { '; @@ -946,7 +986,8 @@ $i++; $strings = Array(); $bool = Array(); - if($session->get_permissions('mod_comments') || $row['approved']) { + if ( $session->get_permissions('mod_comments') || $row['approved'] ) + { $list .= $i . ' : { \'comment\' : unescape(\''.rawurlencode($row['comment_data']).'\'), \'name\' : unescape(\''.rawurlencode($row['name']).'\'), \'subject\' : unescape(\''.rawurlencode($row['subject']).'\'), }, '; // Comment ID (used in the Javascript apps) @@ -992,10 +1033,10 @@ if($session->get_permissions('edit_comments')) { // Edit link - $strings['EDIT_LINK'] = 'edit'; + $strings['EDIT_LINK'] = 'edit'; // Delete link - $strings['DELETE_LINK'] = 'delete'; + $strings['DELETE_LINK'] = 'delete'; } else { @@ -1007,19 +1048,19 @@ } // Send PM link - $strings['SEND_PM_LINK'] = ( $session->user_logged_in && $row['user_id'] > 0 ) ? 'Send private message
' : ''; + $strings['SEND_PM_LINK'] = ( $session->user_logged_in && $row['user_id'] > 0 ) ? 'Send private message
' : ''; // Add Buddy link - $strings['ADD_BUDDY_LINK'] = ( $session->user_logged_in && $row['user_id'] > 0 ) ? 'Add to buddy list' : ''; + $strings['ADD_BUDDY_LINK'] = ( $session->user_logged_in && $row['user_id'] > 0 ) ? 'Add to buddy list' : ''; // Mod links $applink = ''; - $applink .= ''; + $applink .= ''; if($row['approved']) $applink .= 'Unapprove'; else $applink .= 'Approve'; $applink .= ''; $strings['MOD_APPROVE_LINK'] = $applink; unset($applink); - $strings['MOD_DELETE_LINK'] = 'Delete'; + $strings['MOD_DELETE_LINK'] = 'Delete'; // Signature $strings['SIGNATURE'] = ''; @@ -1046,19 +1087,19 @@ $_ob .= '

Got something to say?

If you have comments or suggestions on this article, you can shout it out here.'; if(getConfig('approve_comments')=='1') $_ob .= ' Before your comment will be visible to the public, a moderator will have to approve it.'; if(getConfig('comments_need_login') == '1' && !$session->user_logged_in) $_ob .= ' Because you are not logged in, you will need to enter a visual confirmation before your comment will be posted.'; - $sn = $session->user_logged_in ? $session->username . '' : ''; + $sn = $session->user_logged_in ? $session->username . '' : ''; $_ob .= '

Comment form

- + '; if(getConfig('comments_need_login') == '1' && !$session->user_logged_in) { $session->kill_captcha(); $captcha = $session->make_captcha(); - $_ob .= ''; + $_ob .= ''; } $_ob .= ' @@ -1068,7 +1109,7 @@ '; } } else { - $_ob .= '

Got something to say?

You need to be logged in to post comments. Log in

'; + $_ob .= '

Got something to say?

You need to be logged in to post comments. Log in

'; } $list .= '};'; echo 'document.getElementById(\'ajaxEditContainer\').innerHTML = unescape(\''. rawurlencode($_ob) .'\'); @@ -1139,7 +1180,7 @@ if(!$session->get_permissions('mod_comments')) // allow mods to edit comments { if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.

Please log in and try again.'); - $q = 'SELECT c.name FROM '.table_prefix.'comments c, '.table_prefix.'users u WHERE comment_data=\''.$old_text.'\' AND subject=\''.$old_subject.'\' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND u.user_id=c.user_id;'; + $q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_data=\'' . $old_text . '\' AND subject=\'' . $old_subject . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;'; $s = $db->sql_query($q); if(!$s) _die('SQL error during safety check: '.mysql_error().'

Attempted SQL:
'.htmlspecialchars($q).'
'); $r = $db->fetchrow($s); @@ -1148,13 +1189,13 @@ } $s = RenderMan::preprocess_text($subject); $t = RenderMan::preprocess_text($text); - $sql = 'UPDATE '.table_prefix.'comments SET subject=\''.$s.'\',comment_data=\''.$t.'\' WHERE comment_data=\''.$old_text.'\' AND subject=\''.$old_subject.'\' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\''; + $sql = 'UPDATE ' . table_prefix.'comments SET subject=\'' . $s . '\',comment_data=\'' . $t . '\' WHERE comment_data=\'' . $old_text . '\' AND subject=\'' . $old_subject . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; $result = $db->sql_query($sql); if($result) { return 'result="GOOD"; - list['.$id.'][\'subject\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $s))))).'\'); - list['.$id.'][\'comment\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t))))).'\'); id = '.$id.'; + list[' . $id . '][\'subject\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $s))))).'\'); + list[' . $id . '][\'comment\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t))))).'\'); id = ' . $id . '; s = unescape(\''.rawurlencode($s).'\'); t = unescape(\''.str_replace('%5Cn', '
', rawurlencode(RenderMan::render(str_replace('{{EnAnO:Newline}}', "\n", stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t)))))).'\');'; } @@ -1162,7 +1203,7 @@ { return 'result="BAD"; error=unescape("'.rawurlencode('Enano encountered a problem whilst saving the comment. Performed SQL: - '.$sql.' + ' . $sql . ' Error returned by MySQL: '.mysql_error()).'");'; } @@ -1188,7 +1229,7 @@ if(!$session->get_permissions('mod_comments')) // allow mods to edit comments { if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.

Please log in and try again.'); - $q = 'SELECT c.name FROM '.table_prefix.'comments c, '.table_prefix.'users u WHERE comment_id='.$id.' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND u.user_id=c.user_id;'; + $q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;'; $s = $db->sql_query($q); if(!$s) _die('SQL error during safety check: '.mysql_error().'

Attempted SQL:
'.htmlspecialchars($q).'
'); $r = $db->fetchrow($s); @@ -1197,13 +1238,13 @@ } $s = RenderMan::preprocess_text($subject); $t = RenderMan::preprocess_text($text); - $sql = 'UPDATE '.table_prefix.'comments SET subject=\''.$s.'\',comment_data=\''.$t.'\' WHERE comment_id='.$id.' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\''; + $sql = 'UPDATE ' . table_prefix.'comments SET subject=\'' . $s . '\',comment_data=\'' . $t . '\' WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; $result = $db->sql_query($sql); if($result) return 'good'; else return 'Enano encountered a problem whilst saving the comment. Performed SQL: - '.$sql.' + ' . $sql . ' Error returned by MySQL: '.mysql_error(); } @@ -1235,16 +1276,16 @@ if(!$session->get_permissions('mod_comments')) // allows mods to delete comments { if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.

Please log in and try again.'); - $q = 'SELECT c.name FROM '.table_prefix.'comments c, '.table_prefix.'users u WHERE comment_data=\''.$t.'\' AND subject=\''.$s.'\' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND u.user_id=c.user_id;'; + $q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_data=\'' . $t . '\' AND subject=\'' . $s . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;'; $s = $db->sql_query($q); if(!$s) _die('SQL error during safety check: '.mysql_error().'

Attempted SQL:
'.htmlspecialchars($q).'
'); $r = $db->fetchrow($s); if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.'); $db->free_result(); } - $q = 'DELETE FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND name=\''.$n.'\' AND subject=\''.$s.'\' AND comment_data=\''.$t.'\' LIMIT 1;'; + $q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\' LIMIT 1;'; $e=$db->sql_query($q); - if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n'.$q).'\'));'); + if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));'); return('good'); } @@ -1269,16 +1310,16 @@ if(!$session->get_permissions('mod_comments')) // allows mods to delete comments { if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.

Please log in and try again.'); - $q = 'SELECT c.name FROM '.table_prefix.'comments c, '.table_prefix.'users u WHERE comment_id='.$id.' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND u.user_id=c.user_id;'; + $q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;'; $s = $db->sql_query($q); if(!$s) _die('SQL error during safety check: '.mysql_error().'

Attempted SQL:
'.htmlspecialchars($q).'
'); $r = $db->fetchrow($s); if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.'); $db->free_result(); } - $q = 'DELETE FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND comment_id='.$id.' LIMIT 1;'; + $q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND comment_id=' . $id . ' LIMIT 1;'; $e=$db->sql_query($q); - if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n'.$q).'\'));'); + if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));'); return('good'); } @@ -1305,19 +1346,19 @@ } if( ( $session->get_permissions('rename') && ( ( $prot && $session->get_permissions('even_when_protected') ) || !$prot ) ) && ( $paths->namespace != 'Special' && $paths->namespace != 'Admin' )) { - $e = $db->sql_query('INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'rename\', \''.$db->escape($paths->cpage['urlname_nons']).'\', \''.$paths->namespace.'\', \''.$db->escape($session->username).'\', \''.$db->escape($paths->cpage['name']).'\')'); + $e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'rename\', \'' . $db->escape($paths->cpage['urlname_nons']) . '\', \'' . $paths->namespace . '\', \'' . $db->escape($session->username) . '\', \'' . $db->escape($paths->cpage['name']) . '\')'); if ( !$e ) { $db->_die('The page title could not be updated.'); } - $e = $db->sql_query('UPDATE '.table_prefix.'pages SET name=\''.$db->escape($name).'\' WHERE urlname=\''.$db->escape($page_id).'\' AND namespace=\''.$db->escape($namespace).'\';'); + $e = $db->sql_query('UPDATE ' . table_prefix.'pages SET name=\'' . $db->escape($name) . '\' WHERE urlname=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';'); if ( !$e ) { $db->_die('The page title could not be updated.'); } else { - return('The page "'.$paths->pages[$pname]['name'].'" has been renamed to "'.$name.'". You are encouraged to leave a comment explaining your action.' . "\n\n" . 'You will see the change take effect the next time you reload this page.'); + return('The page "' . $paths->pages[$pname]['name'] . '" has been renamed to "' . $name . '". You are encouraged to leave a comment explaining your action.' . "\n\n" . 'You will see the change take effect the next time you reload this page.'); } } else @@ -1337,18 +1378,18 @@ { global $db, $session, $paths, $template, $plugins; // Common objects if(!$session->get_permissions('clear_logs')) die('Administrative privileges are required to flush logs, you loser.'); - $e = $db->sql_query('DELETE FROM '.table_prefix.'logs WHERE page_id=\''.$db->escape($page_id).'\' AND namespace=\''.$db->escape($namespace).'\';'); + $e = $db->sql_query('DELETE FROM ' . table_prefix.'logs WHERE page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';'); if(!$e) $db->_die('The log entries could not be deleted.'); // If the page exists, make a backup of it in case it gets spammed/vandalized // If not, the admin's probably deleting a trash page if ( isset($paths->pages[ $paths->nslist[$namespace] . $page_id ]) ) { - $e = $db->sql_query('SELECT page_text,char_tag FROM '.table_prefix.'page_text WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); + $e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'page_text WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); if(!$e) $db->_die('The current page text could not be selected; as a result, creating the backup of the page failed. Please make a backup copy of the page by clicking Edit this page and then clicking Save Changes.'); $row = $db->fetchrow(); $db->free_result(); - $q='INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.date('d M Y h:i a').'\', \''.$page_id.'\', \''.$namespace.'\', \''.$db->escape($row['page_text']).'\', \''.$row['char_tag'].'\', \''.$session->username.'\', \''."Automatic backup created when logs were purged".'\', '.'false'.');'; + $q='INSERT INTO ' . table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.date('d M Y h:i a').'\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape($row['page_text']) . '\', \'' . $row['char_tag'] . '\', \'' . $session->username . '\', \''."Automatic backup created when logs were purged".'\', '.'false'.');'; if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.'); } return('The logs for this page have been cleared. A backup of this page has been added to the logs table so that this page can be restored in case of vandalism or spam later.'); @@ -1372,17 +1413,17 @@ return 'Invalid reason for deletion passed'; } if(!$perms->get_permissions('delete_page')) return('Administrative privileges are required to delete pages, you loser.'); - $e = $db->sql_query('INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'delete\', \''.$page_id.'\', \''.$namespace.'\', \''.$session->username.'\', \'' . $db->escape(htmlspecialchars($reason)) . '\')'); + $e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'delete\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\')'); if(!$e) $db->_die('The page log entry could not be inserted.'); - $e = $db->sql_query('DELETE FROM '.table_prefix.'categories WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\''); + $e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); if(!$e) $db->_die('The page categorization entries could not be deleted.'); - $e = $db->sql_query('DELETE FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\''); + $e = $db->sql_query('DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); if(!$e) $db->_die('The page comments could not be deleted.'); - $e = $db->sql_query('DELETE FROM '.table_prefix.'page_text WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\''); + $e = $db->sql_query('DELETE FROM ' . table_prefix.'page_text WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); if(!$e) $db->_die('The page text entry could not be deleted.'); - $e = $db->sql_query('DELETE FROM '.table_prefix.'pages WHERE urlname=\''.$page_id.'\' AND namespace=\''.$namespace.'\''); + $e = $db->sql_query('DELETE FROM ' . table_prefix.'pages WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); if(!$e) $db->_die('The page entry could not be deleted.'); - $e = $db->sql_query('DELETE FROM '.table_prefix.'files WHERE page_id=\''.$page_id.'\''); + $e = $db->sql_query('DELETE FROM ' . table_prefix.'files WHERE page_id=\'' . $page_id . '\''); if(!$e) $db->_die('The file entry could not be deleted.'); return('This page has been deleted. Note that there is still a log of edits and actions in the database, and anyone with admin rights can raise this page from the dead unless the log is cleared. If the deleted file is an image, there may still be cached thumbnails of it in the cache/ directory, which is inaccessible to users.'); } @@ -1447,7 +1488,7 @@ $cv++; - $q = 'UPDATE '.table_prefix.'pages SET delvotes='.$cv.',delvote_ips=\''.$ips.'\' WHERE urlname=\''.$page_id.'\' AND namespace=\''.$namespace.'\''; + $q = 'UPDATE ' . table_prefix.'pages SET delvotes=' . $cv . ',delvote_ips=\'' . $ips . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; $w = $db->sql_query($q); return 'Your vote to have this page deleted has been cast.'."\nYou are encouraged to leave a comment explaining the reason for your vote."; @@ -1464,7 +1505,7 @@ { global $db, $session, $paths, $template, $plugins; // Common objects if(!$session->get_permissions('vote_reset')) die('You need moderator rights in order to do this, stinkin\' hacker.'); - $q = 'UPDATE '.table_prefix.'pages SET delvotes=0,delvote_ips=\'' . $db->escape(serialize(array('ip'=>array(),'u'=>array()))) . '\' WHERE urlname=\''.$page_id.'\' AND namespace=\''.$namespace.'\''; + $q = 'UPDATE ' . table_prefix.'pages SET delvotes=0,delvote_ips=\'' . $db->escape(serialize(array('ip'=>array(),'u'=>array()))) . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; $e = $db->sql_query($q); if(!$e) $db->_die('The number of delete votes was not reset.'); else return('The number of votes for having this page deleted has been reset to zero.'); @@ -1480,14 +1521,17 @@ { $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); - $dir = './themes/'.$_GET['id'].'/css/'; + if ( !preg_match('/^([a-z0-9_-]+)$/', $_GET['id']) ) + return $json->encode(false); + + $dir = './themes/' . $_GET['id'] . '/css/'; $list = Array(); // Open a known directory, and proceed to read its contents if (is_dir($dir)) { if ($dh = opendir($dir)) { while (($file = readdir($dh)) !== false) { - if(preg_match('#^(.*?)\.css$#is', $file) && $file != '_printable.css') { // _printable.css should be included with every theme - // it should be a copy of the original style, but + if ( preg_match('#^(.*?)\.css$#is', $file) && $file != '_printable.css' ) // _printable.css should be included with every theme + { // it should be a copy of the original style, but // mostly black and white // Note to self: document this $list[] = substr($file, 0, strlen($file)-4); @@ -1527,7 +1571,7 @@ global $db, $session, $paths, $template, $plugins; // Common objects ob_start(); $_ob = ''; - $e = $db->sql_query('SELECT category_id FROM '.table_prefix.'categories WHERE page_id=\''.$paths->cpage['urlname_nons'].'\' AND namespace=\''.$paths->namespace.'\''); + $e = $db->sql_query('SELECT category_id FROM ' . table_prefix.'categories WHERE page_id=\'' . $paths->cpage['urlname_nons'] . '\' AND namespace=\'' . $paths->namespace . '\''); if(!$e) jsdie('Error selecting category information for current page: '.mysql_error()); $cat_current = Array(); while($r = $db->fetchrow()) @@ -1579,10 +1623,10 @@ $is_prot = true; $prot = ( $is_prot ) ? ' disabled="disabled" ' : ''; $prottext = ( $is_prot ) ? ' (protected)' : ''; - echo 'catlist['.$i.'] = \''.$cat_info[$i]['urlname_nons'].'\';'; - $_ob .= ''.$cat_info[$i]['name'].$prottext.'
'; + $_ob .= '/>
'; } $disabled = ( sizeof($cat_info) < 1 ) ? 'disabled="disabled"' : ''; @@ -1637,9 +1681,9 @@ if(!$auth) { // Find out if the page is currently in the category - $q = $db->sql_query('SELECT * FROM '.table_prefix.'categories WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); + $q = $db->sql_query('SELECT * FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); if(!$q) - return 'MySQL error: '.$db->get_error(); + return 'MySQL error: ' . $db->get_error(); if($db->numrows() > 0) { $auth = true; @@ -1647,13 +1691,13 @@ } $db->free_result(); } - if(isset($which_cats[$cat_all[$i]['urlname_nons']]) && $which_cats[$cat_all[$i]['urlname_nons']] == true /* for clarity ;-) */ && $auth ) $rowlist[] = '(\''.$page_id.'\', \''.$namespace.'\', \''.$cat_all[$i]['urlname_nons'].'\')'; + if(isset($which_cats[$cat_all[$i]['urlname_nons']]) && $which_cats[$cat_all[$i]['urlname_nons']] == true /* for clarity ;-) */ && $auth ) $rowlist[] = '(\'' . $page_id . '\', \'' . $namespace . '\', \'' . $cat_all[$i]['urlname_nons'] . '\')'; } if(sizeof($rowlist) > 0) { $val = implode(',', $rowlist); - $q = 'INSERT INTO '.table_prefix.'categories(page_id,namespace,category_id) VALUES' . $val . ';'; - $e = $db->sql_query('DELETE FROM '.table_prefix.'categories WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); + $q = 'INSERT INTO ' . table_prefix.'categories(page_id,namespace,category_id) VALUES' . $val . ';'; + $e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); if(!$e) $db->_die('The old category data could not be deleted.'); $e = $db->sql_query($q); if(!$e) $db->_die('The new category data could not be inserted.'); @@ -1661,7 +1705,7 @@ } else { - $e = $db->sql_query('DELETE FROM '.table_prefix.'categories WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); + $e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); if(!$e) $db->_die('The old category data could not be deleted.'); return('GOOD'); } @@ -1679,9 +1723,15 @@ { global $db, $session, $paths, $template, $plugins; // Common objects if(!$session->get_permissions('set_wiki_mode')) return('Insufficient access rights'); - if(!isset($level) || (isset($level) && !preg_match('#^([0-2]){1}$#', (string)$level))) return('Invalid mode string'); - $q = $db->sql_query('UPDATE '.table_prefix.'pages SET wiki_mode='.$level.' WHERE urlname=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); - if(!$q) return('Error during update query: '.mysql_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace()); + if ( !isset($level) || ( isset($level) && !preg_match('#^([0-2]){1}$#', (string)$level) ) ) + { + return('Invalid mode string'); + } + $q = $db->sql_query('UPDATE ' . table_prefix.'pages SET wiki_mode=' . $level . ' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); + if ( !$q ) + { + return('Error during update query: '.mysql_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace()); + } return('GOOD'); } @@ -1705,11 +1755,23 @@ return 'Access is denied'; if(!isset($pass)) return('Password was not set on URL'); $p = $pass; - if(!preg_match('#([0-9a-f]){40,40}#', $p)) $p = sha1($p); - if($p=='da39a3ee5e6b4b0d3255bfef95601890afd80709') $p = ''; - $e = $db->sql_query('UPDATE '.table_prefix.'pages SET password=\''.$p.'\' WHERE urlname=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); - if(!$e) die('PageUtils::setpass(): Error during update query: '.mysql_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace()); - if($p=='') return('The password for this page has been disabled.'); + if ( !preg_match('#([0-9a-f]){40,40}#', $p) ) + { + $p = sha1($p); + } + if ( $p == 'da39a3ee5e6b4b0d3255bfef95601890afd80709' ) + // sha1('') = da39a3ee5e6b4b0d3255bfef95601890afd80709 + $p = ''; + $e = $db->sql_query('UPDATE ' . table_prefix.'pages SET password=\'' . $p . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); + if ( !$e ) + { + die('PageUtils::setpass(): Error during update query: '.mysql_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace()); + } + // Is the new password blank? + if ( $p == '' ) + { + return('The password for this page has been disabled.'); + } else return('The password for this page has been set.'); } @@ -1741,7 +1803,7 @@ function scrollBox($text, $height = 250) { - return '
'.$text.'
'; + return '
' . $text . '
'; } /** @@ -1762,8 +1824,8 @@ !preg_match('#^([0-9]+)$#', (string)$id2 )) return 'SQL injection attempt'; // OK we made it through security // Safest way to make sure we don't end up with the revisions in wrong columns is to make 2 queries - if(!$q1 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM '.table_prefix.'logs WHERE time_id='.$id1.' AND log_type=\'page\' AND action=\'edit\' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';')) return 'MySQL error: '.mysql_error(); - if(!$q2 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM '.table_prefix.'logs WHERE time_id='.$id2.' AND log_type=\'page\' AND action=\'edit\' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';')) return 'MySQL error: '.mysql_error(); + if(!$q1 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id1 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: '.mysql_error(); + if(!$q2 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id2 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: '.mysql_error(); $row1 = $db->fetchrow($q1); $db->free_result($q1); $row2 = $db->fetchrow($q2); @@ -1805,8 +1867,8 @@ $parms['namespace'] = ( isset($parms['namespace']) ) ? $parms['namespace'] : false; $page_id =& $parms['page_id']; $namespace =& $parms['namespace']; - $page_where_clause = ( empty($page_id) || empty($namespace) ) ? 'AND a.page_id IS NULL AND a.namespace IS NULL' : 'AND a.page_id=\''.$db->escape($page_id).'\' AND a.namespace=\''.$db->escape($namespace).'\''; - $page_where_clause_lite = ( empty($page_id) || empty($namespace) ) ? 'AND page_id IS NULL AND namespace IS NULL' : 'AND page_id=\''.$db->escape($page_id).'\' AND namespace=\''.$db->escape($namespace).'\''; + $page_where_clause = ( empty($page_id) || empty($namespace) ) ? 'AND a.page_id IS NULL AND a.namespace IS NULL' : 'AND a.page_id=\'' . $db->escape($page_id) . '\' AND a.namespace=\'' . $db->escape($namespace) . '\''; + $page_where_clause_lite = ( empty($page_id) || empty($namespace) ) ? 'AND page_id IS NULL AND namespace IS NULL' : 'AND page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\''; //die(print_r($page_id,true)); $template->load_theme(); // $perms_obj = $session->fetch_page_acl($page_id, $namespace); @@ -1828,7 +1890,7 @@ { case 'listgroups': $return['groups'] = Array(); - $q = $db->sql_query('SELECT group_id,group_name FROM '.table_prefix.'groups ORDER BY group_name ASC;'); + $q = $db->sql_query('SELECT group_id,group_name FROM ' . table_prefix.'groups ORDER BY group_name ASC;'); while($row = $db->fetchrow()) { $return['groups'][] = Array( @@ -1838,7 +1900,7 @@ } $db->free_result(); $return['page_groups'] = Array(); - $q = $db->sql_query('SELECT pg_id,pg_name FROM '.table_prefix.'page_groups ORDER BY pg_name ASC;'); + $q = $db->sql_query('SELECT pg_id,pg_name FROM ' . table_prefix.'page_groups ORDER BY pg_name ASC;'); if ( !$q ) return Array( 'mode' => 'error', @@ -1862,18 +1924,18 @@ switch($parms['target_type']) { case ACL_TYPE_USER: - $q = $db->sql_query('SELECT a.rules,u.user_id FROM '.table_prefix.'users AS u - LEFT JOIN '.table_prefix.'acl AS a + $q = $db->sql_query('SELECT a.rules,u.user_id FROM ' . table_prefix.'users AS u + LEFT JOIN ' . table_prefix.'acl AS a ON a.target_id=u.user_id WHERE a.target_type='.ACL_TYPE_USER.' - AND u.username=\''.$db->escape($parms['target_id']).'\' - '.$page_where_clause.';'); + AND u.username=\'' . $db->escape($parms['target_id']) . '\' + ' . $page_where_clause . ';'); if(!$q) return(Array('mode'=>'error','error'=>mysql_error())); if($db->numrows() < 1) { $return['type'] = 'new'; - $q = $db->sql_query('SELECT user_id FROM '.table_prefix.'users WHERE username=\''.$db->escape($parms['target_id']).'\';'); + $q = $db->sql_query('SELECT user_id FROM ' . table_prefix.'users WHERE username=\'' . $db->escape($parms['target_id']) . '\';'); if(!$q) return(Array('mode'=>'error','error'=>mysql_error())); if($db->numrows() < 1) @@ -1909,18 +1971,18 @@ } break; case ACL_TYPE_GROUP: - $q = $db->sql_query('SELECT a.rules,g.group_name,g.group_id FROM '.table_prefix.'groups AS g - LEFT JOIN '.table_prefix.'acl AS a + $q = $db->sql_query('SELECT a.rules,g.group_name,g.group_id FROM ' . table_prefix.'groups AS g + LEFT JOIN ' . table_prefix.'acl AS a ON a.target_id=g.group_id WHERE a.target_type='.ACL_TYPE_GROUP.' AND g.group_id=\''.intval($parms['target_id']).'\' - '.$page_where_clause.';'); + ' . $page_where_clause . ';'); if(!$q) return(Array('mode'=>'error','error'=>mysql_error())); if($db->numrows() < 1) { $return['type'] = 'new'; - $q = $db->sql_query('SELECT group_id,group_name FROM '.table_prefix.'groups WHERE group_id=\''.intval($parms['target_id']).'\';'); + $q = $db->sql_query('SELECT group_id,group_name FROM ' . table_prefix.'groups WHERE group_id=\''.intval($parms['target_id']).'\';'); if(!$q) return(Array('mode'=>'error','error'=>mysql_error())); if($db->numrows() < 1) @@ -1968,8 +2030,8 @@ { return Array('mode'=>'error','error'=>'Editing access control lists is disabled in the administration demo.'); } - $q = $db->sql_query('DELETE FROM '.table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).' - '.$page_where_clause_lite.';'); + $q = $db->sql_query('DELETE FROM ' . table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).' + ' . $page_where_clause_lite . ';'); if(!$q) return Array('mode'=>'error','error'=>mysql_error()); $rules = $session->perm_to_string($parms['perms']); @@ -1980,10 +2042,10 @@ 'error' => 'Supplied rule list has a length of zero' ); } - $q = ($page_id && $namespace) ? 'INSERT INTO '.table_prefix.'acl ( target_type, target_id, page_id, namespace, rules ) - VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \''.$db->escape($page_id).'\', \''.$db->escape($namespace).'\', \''.$db->escape($rules).'\' )' : - 'INSERT INTO '.table_prefix.'acl ( target_type, target_id, rules ) - VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \''.$db->escape($rules).'\' )'; + $q = ($page_id && $namespace) ? 'INSERT INTO ' . table_prefix.'acl ( target_type, target_id, page_id, namespace, rules ) + VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \'' . $db->escape($page_id) . '\', \'' . $db->escape($namespace) . '\', \'' . $db->escape($rules) . '\' )' : + 'INSERT INTO ' . table_prefix.'acl ( target_type, target_id, rules ) + VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \'' . $db->escape($rules) . '\' )'; if(!$db->sql_query($q)) return Array('mode'=>'error','error'=>mysql_error()); return Array( 'mode' => 'success', @@ -1999,8 +2061,8 @@ { return Array('mode'=>'error','error'=>'Editing access control lists is disabled in the administration demo.'); } - $q = $db->sql_query('DELETE FROM '.table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).' - '.$page_where_clause_lite.';'); + $q = $db->sql_query('DELETE FROM ' . table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).' + ' . $page_where_clause_lite . ';'); if(!$q) return Array('mode'=>'error','error'=>mysql_error()); return Array( @@ -2144,7 +2206,7 @@ } $type = ( $response['target_type'] == ACL_TYPE_GROUP ) ? 'group' : 'user'; $scope = ( $response['page_id'] ) ? ( $response['namespace'] == '__PageGroup' ? 'this group of pages' : 'this page' ) : 'this entire site'; - echo 'This panel allows you to edit what the '.$type.' "'.$response['target_name'].'" can do on '.$scope.'. Unless you set a permission to "Deny", these permissions may be overridden by other rules.'; + echo 'This panel allows you to edit what the ' . $type . ' "' . $response['target_name'] . '" can do on ' . $scope . '. Unless you set a permission to "Deny", these permissions may be overridden by other rules.'; echo $formstart; $parser = $template->makeParserText( $response['template']['acl_field_begin'] ); echo $parser->run(); diff -r ebe99e82a59a -r 473cc747022a includes/sessions.php --- a/includes/sessions.php Sat Oct 20 21:44:13 2007 -0400 +++ b/includes/sessions.php Fri Oct 26 19:28:54 2007 -0400 @@ -1049,7 +1049,7 @@ { // Stash it in a cookie // For now, make the cookie last forever, we can change this in 1.1.x - setcookie( 'sid', $session_key, time()+315360000, scriptPath.'/' ); + setcookie( 'sid', $session_key, time()+315360000, scriptPath.'/', null, ( isset($_SERVER['HTTPS']) ) ); $_COOKIE['sid'] = $session_key; } // $keyhash is stored in the database, this is for compatibility with the older DB structure diff -r ebe99e82a59a -r 473cc747022a includes/template.php --- a/includes/template.php Sat Oct 20 21:44:13 2007 -0400 +++ b/includes/template.php Fri Oct 26 19:28:54 2007 -0400 @@ -42,7 +42,7 @@ $this->plugin_blocks = Array(); $this->theme_loaded = false; - $this->fading_button = '
+ $this->fading_button = '
'; @@ -1611,7 +1611,8 @@ $admintitle = ( $session->user_level >= USER_LEVEL_ADMIN ) ? 'title="You may disable this button in the admin panel under General Configuration."' : ''; if(getConfig('sflogo_enabled')=='1') { - $ob[] = 'SourceForge.net Logo'; + $sflogo_secure = ( isset($_SERVER['HTTPS']) ) ? 'https' : 'http'; + $ob[] = 'SourceForge.net Logo'; } if(getConfig('w3c_v32') =='1') $ob[] = 'Valid HTML 3.2'; if(getConfig('w3c_v40') =='1') $ob[] = 'Valid HTML 4.0'; diff -r ebe99e82a59a -r 473cc747022a index.php diff -r ebe99e82a59a -r 473cc747022a install.php --- a/install.php Sat Oct 20 21:44:13 2007 -0400 +++ b/install.php Fri Oct 26 19:28:54 2007 -0400 @@ -1,1214 +1,1215 @@ -The Enano installer has found a Enano installation in this directory. You MUST delete config.php if you want to re-install Enano.

If you wish to upgrade an older Enano installation to this version, please use the upgrade script.

'); - exit; -} - -define('IN_ENANO_INSTALL', 'true'); - -define('ENANO_VERSION', '1.1.1'); -// In beta versions, define ENANO_BETA_VERSION here - -if(!defined('scriptPath')) { - $sp = dirname($_SERVER['REQUEST_URI']); - if($sp == '/' || $sp == '\\') $sp = ''; - define('scriptPath', $sp); -} - -if(!defined('contentPath')) { - $sp = dirname($_SERVER['REQUEST_URI']); - if($sp == '/' || $sp == '\\') $sp = ''; - define('contentPath', $sp); -} -global $_starttime, $this_page, $sideinfo; -$_starttime = microtime(true); - -// Determine directory (special case for development servers) -if ( strpos(__FILE__, '/repo/') && file_exists('.enanodev') ) -{ - $filename = str_replace('/repo/', '/', __FILE__); -} -else -{ - $filename = __FILE__; -} - -define('ENANO_ROOT', dirname($filename)); - -function is_page($p) -{ - return true; -} - -require('includes/wikiformat.php'); -require('includes/constants.php'); -require('includes/rijndael.php'); -require('includes/functions.php'); - -strip_magic_quotes_gpc(); - -//die('Key size: ' . AES_BITS . '
Block size: ' . AES_BLOCKSIZE); - -if(!function_exists('wikiFormat')) -{ - function wikiFormat($message, $filter_links = true) - { - $wiki = & Text_Wiki::singleton('Mediawiki'); - $wiki->setRenderConf('Xhtml', 'code', 'css_filename', 'codefilename'); - $wiki->setRenderConf('Xhtml', 'wikilink', 'view_url', contentPath); - $result = $wiki->transform($message, 'Xhtml'); - - // HTML fixes - $result = preg_replace('#
([\s]*?)<\/tr>#is', '', $result); - $result = preg_replace('#

([\s]*?)<\/p>#is', '', $result); - $result = preg_replace('#
([\s]*?)

"; - } elseif(!$val && $warn) { - if($cv) $color='FFFFCC'; else $color='FFFFAA'; - echo ""; - $warned = true; - } else { - if($cv) $color='FFCCCC'; else $color='FFAAAA'; - echo ""; - $failed = true; - } -} -function is_apache() { $r = strstr($_SERVER['SERVER_SOFTWARE'], 'Apache') ? true : false; return $r; } - -require_once('includes/template.php'); - -if(!isset($_GET['mode'])) $_GET['mode'] = 'welcome'; -switch($_GET['mode']) -{ - case 'mysql_test': - error_reporting(0); - $dbhost = rawurldecode($_POST['host']); - $dbname = rawurldecode($_POST['name']); - $dbuser = rawurldecode($_POST['user']); - $dbpass = rawurldecode($_POST['pass']); - $dbrootuser = rawurldecode($_POST['root_user']); - $dbrootpass = rawurldecode($_POST['root_pass']); - if($dbrootuser != '') - { - $conn = mysql_connect($dbhost, $dbrootuser, $dbrootpass); - if(!$conn) - { - $e = mysql_error(); - if(strstr($e, "Lost connection")) - die('host'.$e); - else - die('root'.$e); - } - $rsp = 'good'; - $q = mysql_query('USE '.$dbname, $conn); - if(!$q) - { - $e = mysql_error(); - if(strstr($e, 'Unknown database')) - { - $rsp .= '_creating_db'; - } - } - mysql_close($conn); - $conn = mysql_connect($dbhost, $dbuser, $dbpass); - if(!$conn) - { - $e = mysql_error(); - if(strstr($e, "Lost connection")) - die('host'.$e); - else - $rsp .= '_creating_user'; - } - mysql_close($conn); - die($rsp); - } - else - { - $conn = mysql_connect($dbhost, $dbuser, $dbpass); - if(!$conn) - { - $e = mysql_error(); - if(strstr($e, "Lost connection")) - die('host'.$e); - else - die('auth'.$e); - } - $q = mysql_query('USE '.$dbname, $conn); - if(!$q) - { - $e = mysql_error(); - if(strstr($e, 'Unknown database')) - { - die('name'.$e); - } - else - { - die('perm'.$e); - } - } - } - $v = mysql_get_server_info(); - if(version_compare($v, '4.1.17', '<')) die('vers'.$v); - mysql_close($conn); - die('good'); - break; - case 'pophelp': - $topic = ( isset($_GET['topic']) ) ? $_GET['topic'] : 'invalid'; - switch($topic) - { - case 'admin_embed_php': - $title = 'Allow administrators to embed PHP'; - $content = '

This option allows you to control whether anything between the standard <?php and ?> tags will be treated as - PHP code by Enano. If this option is enabled, and members of the Administrators group use these tags, Enano will - execute that code when the page is loaded. There are obvious potential security implications here, which should - be carefully considered before enabling this option.

-

If you are the only administrator of this site, or if you have a high level of trust for those will be administering - the site with you, you should enable this to allow extreme customization of pages.

-

Leave this option off if you are at all concerned about security – if your account is compromised and PHP embedding - is enabled, an attacker can run arbitrary code on your server! Enabling this will also allow administrators to - embed Javascript and arbitrary HTML and CSS.

-

If you don\'t have experience coding in PHP, you can safely disable this option. You may change this at any time - using the ACL editor by selecting the Administrators group and This Entire Website under the scope selection.

'; - break; - default: - $title = 'Invalid topic'; - $content = 'Invalid help topic.'; - break; - } - echo << - - - Enano installation quick help • {$title} - - - - -

{$title}

- {$content} -

- Close window -

- - -EOF; - exit; - break; - default: - break; -} - -$template = new template_nodb(); -$template->load_theme('stpatty', 'shamrock', false); - -$modestrings = Array( - 'welcome' => 'Welcome', - 'license' => 'License Agreement', - 'sysreqs' => 'Server requirements', - 'database'=> 'Database information', - 'website' => 'Website configuration', - 'login' => 'Administration login', - 'confirm' => 'Confirm installation', - 'install' => 'Database installation', - 'finish' => 'Installation complete' - ); - -$sideinfo = ''; -$vars = $template->extract_vars('elements.tpl'); -$p = $template->makeParserText($vars['sidebar_button']); -foreach ( $modestrings as $id => $str ) -{ - if ( $_GET['mode'] == $id ) - { - $flags = 'style="font-weight: bold; text-decoration: underline;"'; - $this_page = $str; - } - else - { - $flags = ''; - } - $p->assign_vars(Array( - 'HREF' => '#', - 'FLAGS' => $flags . ' onclick="return false;"', - 'TEXT' => $str - )); - $sideinfo .= $p->run(); -} - -$template->init_vars(); - -if(isset($_GET['mode']) && $_GET['mode'] == 'css') -{ - header('Content-type: text/css'); - echo $template->get_css(); - exit; -} - -$template->header(); -if(!isset($_GET['mode'])) $_GET['mode'] = 'license'; -switch($_GET['mode']) -{ - default: - case 'welcome': - ?> -
- [ Enano CMS Project logo ] -

Welcome to Enano

-

version 1.1.1 – unstable

- You are about to install a NIGHTLY BUILD of Enano.
Nightly builds are NOT upgradeable and may contain serious flaws, security problems, or extraneous debugging information. Installing this version of Enano on a production site is NOT recommended.
'; - } - ?> - - - - - -

Welcome to the Enano installer.

-

Thank you for choosing Enano as your CMS. You've selected the finest in design, the strongest in security, and the latest in Web 2.0 toys. Trust us, you'll like it.

-

To get started, please read and accept the following license agreement. You've probably seen it before.

-
-

GNU General Public License

-

Declaration of license usage

-

Enano is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

-

This program is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License (below) for more details.

-

By clicking the button below or otherwise continuing the installation, you indicate your acceptance of this license agreement.

-

Human-readable version

-

Enano is distributed under certain licensing terms that we believe make it of the greatest possible use to the public. The license we distribute it under, the GNU General Public License, provides certain terms and conditions that, rather than limit your use of Enano, allow you to get the most out of it. If you would like to read the full text, it can be found below. Here is a human-readable version that we think is a little easier to understand.

-
    -
  • You may to run Enano for any purpose.
  • -
  • You may study how Enano works and adapt it to your needs.
  • -
  • You may redistribute copies so you can help your neighbor.
  • -
  • You may improve Enano and release your improvements to the public, so that the whole community benefits.
  • -
-

You may exercise the freedoms specified here provided that you comply with the express conditions of this license. The principal conditions are:

-
    -
  • You must conspicuously and appropriately publish on each copy distributed an appropriate copyright notice and disclaimer of warranty and keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of Enano a copy of the GNU General Public License along with Enano. Any translation of the GNU General Public License must be accompanied by the GNU General Public License.
  • -
  • If you modify your copy or copies of Enano or any portion of it, or develop a program based upon it, you may distribute the resulting work provided you do so under the GNU General Public License. Any translation of the GNU General Public License must be accompanied by the GNU General Public License.
  • -
  • If you copy or distribute Enano, you must accompany it with the complete corresponding machine-readable source code or with a written offer, valid for at least three years, to furnish the complete corresponding machine-readable source code.
  • -
-

Disclaimer: The above text is not a license. It is simply a handy reference for understanding the Legal Code (the full license) – it is a human-readable expression of some of its key terms. Think of it as the user-friendly interface to the Legal Code beneath. The above text itself has no legal value, and its contents do not appear in the actual license.
Text copied from the Creative Commons GPL Deed page

- -

Notice for prerelease versions

-

This version of Enano is designed only for testing and evaluation purposes. It is not yet completely stable, and should not be used on production websites. As with any Enano version, Dan Fuhry and the Enano team cannot be responsible for any damage, physical or otherwise, to any property as a result of the use of Enano. While security is a number one priority, sometimes things slip through.

- -

Lawyer-readable version

- -
-
Your name or screen name:'.$sn.'
Your name or screen name:' . $sn . '
Comment subject:
Visual confirmation:
Please enter the code you see on the right.
Visual confirmation
Code:
Visual confirmation:
Please enter the code you see on the right.
Visual confirmation
Code:
Comment text:
(most HTML will be stripped)
$descTest passed
$desc
$extended_desc
Test passed with warning
$desc
$extended_desc
Test failed
- - - -

Before clicking continue:
• Ensure that you agree with the terms of the license
• Have your database host, name, username, and password available

- -
- -

Checking your server

-

Enano has several requirements that must be met before it can be installed. If all is good then note any warnings and click Continue below.

- - =4.3.0', 'It seems that the version of PHP that your server is running is too old to support Enano properly. If this is your server, please upgrade to the most recent version of PHP, remembering to use the --with-mysql configure option if you compile it yourself. If this is not your server, please contact your webhost and ask them if it would be possible to upgrade PHP. If this is not possible, you will need to switch to a different webhost in order to use Enano.'); - run_test('return function_exists(\'mysql_connect\');', 'MySQL extension for PHP', 'It seems that your PHP installation does not have the MySQL extension enabled. If this is your own server, you may need to just enable the "libmysql.so" extension in php.ini. If you do not have the MySQL extension installed, you will need to either use your distribution\'s package manager to install it, or you will have to compile PHP from source. If you compile PHP from source, please remember to use the "--with-mysql" configure option, and you will have to have the MySQL development files installed (they usually are). If this is not your server, please contact your hosting company and ask them to install the PHP MySQL extension.'); - run_test('return @ini_get(\'file_uploads\');', 'File upload support', 'It seems that your server does not support uploading files. Enano *requires* this functionality in order to work properly. Please ask your server administrator to set the "file_uploads" option in php.ini to "On".'); - run_test('return is_apache();', 'Apache HTTP Server', 'Apparently your server is running a web server other than Apache. Enano will work nontheless, but there are some known bugs with non-Apache servers, and the "fancy" URLs will not work properly. The "Standard URLs" option will be set on the website configuration page, only change it if you are absolutely certain that your server is running Apache.', true); - //run_test('return function_exists(\'finfo_file\');', 'Fileinfo PECL extension', 'The MIME magic PHP extension is used to determine the type of a file by looking for a certain "magic" string of characters inside it. This functionality is used by Enano to more effectively prevent malicious file uploads. The MIME magic option will be disabled by default.', true); - run_test('return is_writable(ENANO_ROOT.\'/config.php\');', 'Configuration file writable', 'It looks like the configuration file, config.php, is not writable. Enano needs to be able to write to this file in order to install.

If you are installing Enano on a SourceForge web site:
SourceForge mounts the web partitions read-only now, so you will need to use the project shell service to symlink config.php to a file in the /tmp/persistent directory.'); - run_test('return file_exists(\'/usr/bin/convert\');', 'ImageMagick support', 'Enano uses ImageMagick to scale images into thumbnails. Because ImageMagick was not found on your server, Enano will use the width= and height= attributes on the <img> tag to scale images. This can cause somewhat of a performance increase, but bandwidth usage will be higher, especially if you use high-resolution images on your site.

If you are sure that you have ImageMagick, you can set the location of the "convert" program using the administration panel after installation is complete.', true); - run_test('return is_writable(ENANO_ROOT.\'/cache/\');', 'Cache directory writable', 'Apparently the cache/ directory is not writable. Enano will still work, but you will not be able to cache thumbnails, meaning the server will need to re-render them each time they are requested. In some cases, this can cause a significant slowdown.', true); - run_test('return is_writable(ENANO_ROOT.\'/files/\');', 'File uploads directory writable', 'It seems that the directory where uploaded files are stored (' . ENANO_ROOT . '/files) cannot be written by the server. Enano will still function, but file uploads will not function, and will be disabled by default.', true); - echo '
'; - if(!$failed) - { - ?> - - - '; - run_test('return false;', 'Your server does not meet the requirements for Enano to run.', 'As a precaution, Enano will not install until the above requirements have been met. Contact your server administrator or hosting company and convince them to upgrade. Good luck.'); - echo '
'; - } - } - ?> - - -

Now we need some information that will allow Enano to contact your database server. Enano uses MySQL as a data storage backend, - and we need to have access to a MySQL server in order to continue.

-

If you do not have access to a MySQL server, and you are using your own server, you can download MySQL for free from - MySQL.com. Please note that, like Enano, MySQL is licensed under the GNU GPL. - If you need to modify MySQL and then distribute your modifications, you must either distribute them under the terms of the GPL - or purchase a proprietary license.

- MySQL login information for this virtual appliance:

Database hostname: localhost
Database login: username "enano", password: "clurichaun" (without quotes)
Database name: enano_www1

'; - } - ?> -
- - - - - - - - - - - - - -

Database information

Database hostname
This is the hostname (or sometimes the IP address) of your MySQL server. In many cases, this is "localhost".
Good/bad icon
Database name
The name of the actual database. If you don't already have a database, you can create one here, if you have the username and password of a MySQL user with administrative rights.
Good/bad icon
Database login
These fields should be the username and password of a user with "select", "insert", "update", "delete", "create table", and "replace" privileges for your database.
Good/bad icon

Optional information

Table prefix
The value that you enter here will be added to the beginning of the name of each Enano table. You may use lowercase letters (a-z), numbers (0-9), and underscores (_).
Good/bad icon
Database administrative login
If the MySQL database or username that you entered above does not exist yet, you can create them here, assuming that you have the login information for an administrative user (such as root). Leave these fields blank unless you need to use them.
Good/bad icon
MySQL versionMySQL version information will be checked when you click "Test Connection".Good/bad icon
Delete existing tables?
If this option is checked, all the tables that will be used by Enano will be dropped (deleted) before the schema is executed. Do NOT use this option unless specifically instructed to.
- -
- restart the installation.'; - $template->footer(); - exit; - } - unset($_POST['_cont']); - ?> - -
- '."\n"; - } - ?> -

The next step is to enter some information about your website. You can always change this information later, using the administration panel.

- - - - - - -
Website name
The display name of your website. Allowed characters are uppercase and lowercase letters, numerals, and spaces. This must not be blank or "Enano".
Good/bad icon
Website description
This text will be shown below the name of your website.
Good/bad icon
Copyright info
This should be a one-line legal notice that will appear at the bottom of all your pages.
Good/bad icon
Wiki mode
This feature allows people to create and edit pages on your site. Enano keeps a history of all page modifications, and you can protect pages to prevent editing.
URL scheme
Choose how the page URLs will look. Depending on your server configuration, you may need to select the first option. If you don't know, select the first option, and you can always change it later.
name="urlscheme" value="ugly" id="ugly">
name="urlscheme" value="short" id="short">
- -
- restart the installation.'; - $template->footer(); - exit; - } - unset($_POST['_cont']); - require('config.php'); - $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); - if ( isset($crypto_key) ) - { - $cryptkey = $crypto_key; - } - if(!isset($cryptkey) || ( isset($cryptkey) && strlen($cryptkey) != AES_BITS / 4) ) - { - $cryptkey = $aes->gen_readymade_key(); - $handle = @fopen(ENANO_ROOT.'/config.php', 'w'); - if(!$handle) - { - echo '

ERROR: Cannot open config.php for writing - exiting!

'; - $template->footer(); - exit; - } - fwrite($handle, ''); - fclose($handle); - } - ?> - -
- '."\n"; - } - ?> -

Next, enter your desired username and password. The account you create here will be used to administer your site.

- - - - - - - - - - - -
Administration username
The administration username you will use to log into your site.
This cannot be "anonymous" or in the form of an IP address.
Good/bad icon
Administration password:Good/bad icon
Enter it again to confirm:
Your e-mail address:Good/bad icon
- Allow administrators to embed PHP code into pages:
- Do not under any circumstances enable this option without reading these - important security implications. - -
-    - -
If your browser supports Javascript, the password you enter here will be encrypted with AES before it is sent to the server.
- -
- - - -
- - restart the installation.'; - $template->footer(); - exit; - } - unset($_POST['_cont']); - ?> -
- '."\n"; - } - ?> -

Enano is ready to install.

-

The wizard has finished collecting information and is ready to install the database schema. Please review the information below, - and then click the button below to install the database.

-
    -
  • Database hostname:
  • -
  • Database name:
  • -
  • Database user:
  • -
  • Database password: <hidden>
  • -
  • Site name:
  • -
  • Site description:
  • -
  • Administration username:
  • -
  • Cipher strength: -bit AES
    Cipher strength is defined in the file constants.php; if you desire to change the cipher strength, you may do so and then restart installation. Unless your site is mission-critical, changing the cipher strength is not necessary.
  • -
- -
- restart the installation.'; - $template->footer(); - exit; - } - switch($_POST['urlscheme']) - { - case "ugly": - default: - $cp = scriptPath.'/index.php?title='; - break; - case "short": - $cp = scriptPath.'/index.php/'; - break; - case "tiny": - $cp = scriptPath.'/'; - break; - } - function err($t) { global $template; echo $t; $template->footer(); exit; } - - echo 'Connecting to MySQL...'; - if($_POST['db_root_user'] != '') - { - $conn = mysql_connect($_POST['db_host'], $_POST['db_root_user'], $_POST['db_root_pass']); - if(!$conn) err('Error connecting to MySQL: '.mysql_error()); - $q = mysql_query('USE '.$_POST['db_name']); - if(!$q) - { - $q = mysql_query('CREATE DATABASE '.$_POST['db_name']); - if(!$q) err('Error initializing database: '.mysql_error()); - } - $q = mysql_query('GRANT ALL PRIVILEGES ON '.$_POST['db_name'].'.* TO \''.$_POST['db_user'].'\'@\'localhost\' IDENTIFIED BY \''.$_POST['db_pass'].'\' WITH GRANT OPTION;'); - if(!$q) err('Could not create the user account'); - $q = mysql_query('GRANT ALL PRIVILEGES ON '.$_POST['db_name'].'.* TO \''.$_POST['db_user'].'\'@\'%\' IDENTIFIED BY \''.$_POST['db_pass'].'\' WITH GRANT OPTION;'); - if(!$q) err('Could not create the user account'); - mysql_close($conn); - } - $conn = mysql_connect($_POST['db_host'], $_POST['db_user'], $_POST['db_pass']); - if(!$conn) err('Error connecting to MySQL: '.mysql_error()); - $q = mysql_query('USE '.$_POST['db_name']); - if(!$q) err('Error selecting database: '.mysql_error()); - echo 'done!
'; - - // Are we supposed to drop any existing tables? If so, do it now - if(isset($_POST['drop_tables'])) - { - echo 'Dropping existing Enano tables...'; - // Our list of tables included in Enano - $tables = Array( 'mdg_categories', 'mdg_comments', 'mdg_config', 'mdg_logs', 'mdg_page_text', 'mdg_session_keys', 'mdg_pages', 'mdg_users', 'mdg_users_extra', 'mdg_themes', 'mdg_buddies', 'mdg_banlist', 'mdg_files', 'mdg_privmsgs', 'mdg_sidebar', 'mdg_hits', 'mdg_search_index', 'mdg_groups', 'mdg_group_members', 'mdg_acl', 'mdg_search_cache', 'mdg_tags', 'mdg_page_groups', 'mdg_page_group_members' ); - $tables = implode(', ', $tables); - $tables = str_replace('mdg_', $_POST['table_prefix'], $tables); - $query_of_death = 'DROP TABLE '.$tables.';'; - mysql_query($query_of_death); // We won't check for errors here because if this operation fails it probably means the tables didn't exist - echo 'done!
'; - } - - $cacheonoff = is_writable(ENANO_ROOT.'/cache/') ? '1' : '0'; - - echo 'Decrypting administration password...'; - - $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); - - if ( !empty($_POST['crypt_data']) ) - { - require('config.php'); - if ( !isset($cryptkey) ) - { - echo 'failed!
Cannot get the key from config.php'; - break; - } - $key = hexdecode($cryptkey); - - $dec = $aes->decrypt($_POST['crypt_data'], $key, ENC_HEX); - - } - else - { - $dec = $_POST['admin_pass']; - } - echo 'done!
Generating '.AES_BITS.'-bit AES private key...'; - $privkey = $aes->gen_readymade_key(); - $pkba = hexdecode($privkey); - $encpass = $aes->encrypt($dec, $pkba, ENC_HEX); - - echo 'done!
Preparing for schema execution...'; - $schema = file_get_contents('schema.sql'); - $schema = str_replace('{{SITE_NAME}}', mysql_real_escape_string($_POST['sitename'] ), $schema); - $schema = str_replace('{{SITE_DESC}}', mysql_real_escape_string($_POST['sitedesc'] ), $schema); - $schema = str_replace('{{COPYRIGHT}}', mysql_real_escape_string($_POST['copyright'] ), $schema); - $schema = str_replace('{{ADMIN_USER}}', mysql_real_escape_string($_POST['admin_user'] ), $schema); - $schema = str_replace('{{ADMIN_PASS}}', mysql_real_escape_string($encpass ), $schema); - $schema = str_replace('{{ADMIN_EMAIL}}', mysql_real_escape_string($_POST['admin_email']), $schema); - $schema = str_replace('{{ENABLE_CACHE}}', mysql_real_escape_string($cacheonoff ), $schema); - $schema = str_replace('{{REAL_NAME}}', '', $schema); - $schema = str_replace('{{TABLE_PREFIX}}', $_POST['table_prefix'], $schema); - $schema = str_replace('{{VERSION}}', ENANO_VERSION, $schema); - $schema = str_replace('{{ADMIN_EMBED_PHP}}', $_POST['admin_embed_php'], $schema); - // Not anymore!! :-D - // $schema = str_replace('{{BETA_VERSION}}', ENANO_BETA_VERSION, $schema); - - if(isset($_POST['wiki_mode'])) - { - $schema = str_replace('{{WIKI_MODE}}', '1', $schema); - } - else - { - $schema = str_replace('{{WIKI_MODE}}', '0', $schema); - } - - // Build an array of queries - $schema = explode("\n", $schema); - - foreach ( $schema as $i => $sql ) - { - $query =& $schema[$i]; - $t = trim($query); - if ( empty($t) || preg_match('/^(\#|--)/i', $t) ) - { - unset($schema[$i]); - unset($query); - } - } - - $schema = array_values($schema); - $schema = implode("\n", $schema); - $schema = explode(";\n", $schema); - - foreach ( $schema as $i => $sql ) - { - $query =& $schema[$i]; - if ( substr($query, ( strlen($query) - 1 ), 1 ) != ';' ) - { - $query .= ';'; - } - } - - // echo '
' . htmlspecialchars(print_r($schema, true)) . '
'; - // break; - - echo 'done!
Executing schema.sql...'; - - // OK, do the loop, baby!!! - foreach($schema as $q) - { - $r = mysql_query($q, $conn); - if(!$r) err('Error during mainstream installation: '.mysql_error()); - } - - echo 'done!
Writing configuration files...'; - if($_POST['urlscheme']=='tiny') - { - $ht = fopen(ENANO_ROOT.'/.htaccess', 'a+'); - if(!$ht) err('Error opening file .htaccess for writing'); - fwrite($ht, ' -RewriteEngine on -RewriteCond %{REQUEST_FILENAME} !-d -RewriteCond %{REQUEST_FILENAME} !-f -RewriteRule ^(.+) '.scriptPath.'/index.php?title=$1 [L,QSA] -RewriteRule \.(php|html|gif|jpg|png|css|js)$ - [L] -'); - fclose($ht); - } - - $config_file = ''; - - $cf_handle = fopen(ENANO_ROOT.'/config.php', 'w'); - if(!$cf_handle) err('Couldn\'t open file config.php for writing'); - fwrite($cf_handle, $config_file); - fclose($cf_handle); - - echo 'done!
Starting the Enano API...'; - - $template_bak = $template; - - // Get Enano loaded - $_GET['title'] = 'Main_Page'; - require('includes/common.php'); - - // We need to be logged in (with admin rights) before logs can be flushed - $session->login_without_crypto($_POST['admin_user'], $dec, false); - - // Now that login cookies are set, initialize the session manager and ACLs - $session->start(); - $paths->init(); - - unset($template); - $template =& $template_bak; - - echo 'done!
Initializing logs...'; - - $q = $db->sql_query('INSERT INTO ' . $_POST['table_prefix'] . 'logs(log_type,action,time_id,date_string,author,page_text,edit_summary) VALUES(\'security\', \'install_enano\', ' . time() . ', \'' . date('d M Y h:i a') . '\', \'' . mysql_real_escape_string($_POST['admin_user']) . '\', \'' . mysql_real_escape_string(ENANO_VERSION) . '\', \'' . mysql_real_escape_string($_SERVER['REMOTE_ADDR']) . '\');', $conn); - if ( !$q ) - err('Error setting up logs: '.$db->get_error()); - - if ( !$session->get_permissions('clear_logs') ) - { - echo '
Error: session manager won\'t permit flushing logs, these is a bug.'; - break; - } - - // unset($session); - // $session = new sessionManager(); - // $session->start(); - - PageUtils::flushlogs('Main_Page', 'Article'); - - echo 'done!

Installation of Enano is complete.

Review any warnings above, and then click here to finish the installation.'; - - // echo ''; - - break; - case "finish": - echo '

Congratulations!

-

You have finished installing Enano on this server.

-

Now what?

-

Click the link below to see the main page for your website. Where to go from here:

-
    -
  • The first thing you should do is log into your site using the Log in link on the sidebar.
  • -
  • Go into the Administration panel, expand General, and click General Configuration. There you will be able to configure some basic information about your site.
  • -
  • Visit the Enano Plugin Gallery to download and use plugins on your site.
  • -
  • Periodically create a backup of your database and filesystem, in case something goes wrong. This should be done at least once a week – more for wiki-based sites.
  • -
  • Hire some moderators, to help you keep rowdy users tame.
  • -
  • Tell the Enano team what you think.
  • -
  • Spread the word about Enano by adding a link to the Enano homepage on your sidebar! You can enable this option in the General Configuration section of the administration panel.
  • -
-

Go to your website...

'; - break; -} -$template->footer(); - -?> +The Enano installer has found a Enano installation in this directory. You MUST delete config.php if you want to re-install Enano.

If you wish to upgrade an older Enano installation to this version, please use the upgrade script.

'); + exit; +} + +define('IN_ENANO_INSTALL', 'true'); + +define('ENANO_VERSION', '1.1.1'); +// In beta versions, define ENANO_BETA_VERSION here + +if(!defined('scriptPath')) { + $sp = dirname($_SERVER['REQUEST_URI']); + if($sp == '/' || $sp == '\\') $sp = ''; + define('scriptPath', $sp); +} + +if(!defined('contentPath')) { + $sp = dirname($_SERVER['REQUEST_URI']); + if($sp == '/' || $sp == '\\') $sp = ''; + define('contentPath', $sp); +} +global $_starttime, $this_page, $sideinfo; +$_starttime = microtime(true); + +// Determine directory (special case for development servers) +if ( strpos(__FILE__, '/repo/') && file_exists('.enanodev') ) +{ + $filename = str_replace('/repo/', '/', __FILE__); +} +else +{ + $filename = __FILE__; +} + +define('ENANO_ROOT', dirname($filename)); + +function is_page($p) +{ + return true; +} + +require('includes/wikiformat.php'); +require('includes/constants.php'); +require('includes/rijndael.php'); +require('includes/functions.php'); + +strip_magic_quotes_gpc(); + +//die('Key size: ' . AES_BITS . '
Block size: ' . AES_BLOCKSIZE); + +if(!function_exists('wikiFormat')) +{ + function wikiFormat($message, $filter_links = true) + { + $wiki = & Text_Wiki::singleton('Mediawiki'); + $wiki->setRenderConf('Xhtml', 'code', 'css_filename', 'codefilename'); + $wiki->setRenderConf('Xhtml', 'wikilink', 'view_url', contentPath); + $result = $wiki->transform($message, 'Xhtml'); + + // HTML fixes + $result = preg_replace('#([\s]*?)<\/tr>#is', '', $result); + $result = preg_replace('#

([\s]*?)<\/p>#is', '', $result); + $result = preg_replace('#
([\s]*?)$descTest passed"; + } elseif(!$val && $warn) { + if($cv) $color='FFFFCC'; else $color='FFFFAA'; + echo "$desc
$extended_descTest passed with warning"; + $warned = true; + } else { + if($cv) $color='FFCCCC'; else $color='FFAAAA'; + echo "$desc
$extended_descTest failed"; + $failed = true; + } +} +function is_apache() { $r = strstr($_SERVER['SERVER_SOFTWARE'], 'Apache') ? true : false; return $r; } + +require_once('includes/template.php'); + +if(!isset($_GET['mode'])) $_GET['mode'] = 'welcome'; +switch($_GET['mode']) +{ + case 'mysql_test': + error_reporting(0); + $dbhost = rawurldecode($_POST['host']); + $dbname = rawurldecode($_POST['name']); + $dbuser = rawurldecode($_POST['user']); + $dbpass = rawurldecode($_POST['pass']); + $dbrootuser = rawurldecode($_POST['root_user']); + $dbrootpass = rawurldecode($_POST['root_pass']); + if($dbrootuser != '') + { + $conn = mysql_connect($dbhost, $dbrootuser, $dbrootpass); + if(!$conn) + { + $e = mysql_error(); + if(strstr($e, "Lost connection")) + die('host'.$e); + else + die('root'.$e); + } + $rsp = 'good'; + $q = mysql_query('USE '.$dbname, $conn); + if(!$q) + { + $e = mysql_error(); + if(strstr($e, 'Unknown database')) + { + $rsp .= '_creating_db'; + } + } + mysql_close($conn); + $conn = mysql_connect($dbhost, $dbuser, $dbpass); + if(!$conn) + { + $e = mysql_error(); + if(strstr($e, "Lost connection")) + die('host'.$e); + else + $rsp .= '_creating_user'; + } + mysql_close($conn); + die($rsp); + } + else + { + $conn = mysql_connect($dbhost, $dbuser, $dbpass); + if(!$conn) + { + $e = mysql_error(); + if(strstr($e, "Lost connection")) + die('host'.$e); + else + die('auth'.$e); + } + $q = mysql_query('USE '.$dbname, $conn); + if(!$q) + { + $e = mysql_error(); + if(strstr($e, 'Unknown database')) + { + die('name'.$e); + } + else + { + die('perm'.$e); + } + } + } + $v = mysql_get_server_info(); + if(version_compare($v, '4.1.17', '<')) die('vers'.$v); + mysql_close($conn); + die('good'); + break; + case 'pophelp': + $topic = ( isset($_GET['topic']) ) ? $_GET['topic'] : 'invalid'; + switch($topic) + { + case 'admin_embed_php': + $title = 'Allow administrators to embed PHP'; + $content = '

This option allows you to control whether anything between the standard <?php and ?> tags will be treated as + PHP code by Enano. If this option is enabled, and members of the Administrators group use these tags, Enano will + execute that code when the page is loaded. There are obvious potential security implications here, which should + be carefully considered before enabling this option.

+

If you are the only administrator of this site, or if you have a high level of trust for those will be administering + the site with you, you should enable this to allow extreme customization of pages.

+

Leave this option off if you are at all concerned about security – if your account is compromised and PHP embedding + is enabled, an attacker can run arbitrary code on your server! Enabling this will also allow administrators to + embed Javascript and arbitrary HTML and CSS.

+

If you don\'t have experience coding in PHP, you can safely disable this option. You may change this at any time + using the ACL editor by selecting the Administrators group and This Entire Website under the scope selection.

'; + break; + default: + $title = 'Invalid topic'; + $content = 'Invalid help topic.'; + break; + } + echo << + + + Enano installation quick help • {$title} + + + + +

{$title}

+ {$content} +

+ Close window +

+ + +EOF; + exit; + break; + default: + break; +} + +$template = new template_nodb(); +$template->load_theme('stpatty', 'shamrock', false); + +$modestrings = Array( + 'welcome' => 'Welcome', + 'license' => 'License Agreement', + 'sysreqs' => 'Server requirements', + 'database'=> 'Database information', + 'website' => 'Website configuration', + 'login' => 'Administration login', + 'confirm' => 'Confirm installation', + 'install' => 'Database installation', + 'finish' => 'Installation complete' + ); + +$sideinfo = ''; +$vars = $template->extract_vars('elements.tpl'); +$p = $template->makeParserText($vars['sidebar_button']); +foreach ( $modestrings as $id => $str ) +{ + if ( $_GET['mode'] == $id ) + { + $flags = 'style="font-weight: bold; text-decoration: underline;"'; + $this_page = $str; + } + else + { + $flags = ''; + } + $p->assign_vars(Array( + 'HREF' => '#', + 'FLAGS' => $flags . ' onclick="return false;"', + 'TEXT' => $str + )); + $sideinfo .= $p->run(); +} + +$template->init_vars(); + +if(isset($_GET['mode']) && $_GET['mode'] == 'css') +{ + header('Content-type: text/css'); + echo $template->get_css(); + exit; +} + +$template->header(); +if(!isset($_GET['mode'])) $_GET['mode'] = 'license'; +switch($_GET['mode']) +{ + default: + case 'welcome': + ?> +
+ [ Enano CMS Project logo ] +

Welcome to Enano

+

version 1.1.1 – unstable

+ You are about to install a NIGHTLY BUILD of Enano.
Nightly builds are NOT upgradeable and may contain serious flaws, security problems, or extraneous debugging information. Installing this version of Enano on a production site is NOT recommended.
'; + } + ?> +
+ +
+ + +

Welcome to the Enano installer.

+

Thank you for choosing Enano as your CMS. You've selected the finest in design, the strongest in security, and the latest in Web 2.0 toys. Trust us, you'll like it.

+

To get started, please read and accept the following license agreement. You've probably seen it before.

+
+

GNU General Public License

+

Declaration of license usage

+

Enano is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

+

This program is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License (below) for more details.

+

By clicking the button below or otherwise continuing the installation, you indicate your acceptance of this license agreement.

+

Human-readable version

+

Enano is distributed under certain licensing terms that we believe make it of the greatest possible use to the public. The license we distribute it under, the GNU General Public License, provides certain terms and conditions that, rather than limit your use of Enano, allow you to get the most out of it. If you would like to read the full text, it can be found below. Here is a human-readable version that we think is a little easier to understand.

+
    +
  • You may to run Enano for any purpose.
  • +
  • You may study how Enano works and adapt it to your needs.
  • +
  • You may redistribute copies so you can help your neighbor.
  • +
  • You may improve Enano and release your improvements to the public, so that the whole community benefits.
  • +
+

You may exercise the freedoms specified here provided that you comply with the express conditions of this license. The principal conditions are:

+
    +
  • You must conspicuously and appropriately publish on each copy distributed an appropriate copyright notice and disclaimer of warranty and keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of Enano a copy of the GNU General Public License along with Enano. Any translation of the GNU General Public License must be accompanied by the GNU General Public License.
  • +
  • If you modify your copy or copies of Enano or any portion of it, or develop a program based upon it, you may distribute the resulting work provided you do so under the GNU General Public License. Any translation of the GNU General Public License must be accompanied by the GNU General Public License.
  • +
  • If you copy or distribute Enano, you must accompany it with the complete corresponding machine-readable source code or with a written offer, valid for at least three years, to furnish the complete corresponding machine-readable source code.
  • +
+

Disclaimer: The above text is not a license. It is simply a handy reference for understanding the Legal Code (the full license) – it is a human-readable expression of some of its key terms. Think of it as the user-friendly interface to the Legal Code beneath. The above text itself has no legal value, and its contents do not appear in the actual license.
Text copied from the Creative Commons GPL Deed page

+ +

Notice for prerelease versions

+

This version of Enano is designed only for testing and evaluation purposes. It is not yet completely stable, and should not be used on production websites. As with any Enano version, Dan Fuhry and the Enano team cannot be responsible for any damage, physical or otherwise, to any property as a result of the use of Enano. While security is a number one priority, sometimes things slip through.

+ +

Lawyer-readable version

+ +
+ + +

Checking your server

+

Enano has several requirements that must be met before it can be installed. If all is good then note any warnings and click Continue below.

+ + =4.3.0', 'It seems that the version of PHP that your server is running is too old to support Enano properly. If this is your server, please upgrade to the most recent version of PHP, remembering to use the --with-mysql configure option if you compile it yourself. If this is not your server, please contact your webhost and ask them if it would be possible to upgrade PHP. If this is not possible, you will need to switch to a different webhost in order to use Enano.'); + run_test('return function_exists(\'mysql_connect\');', 'MySQL extension for PHP', 'It seems that your PHP installation does not have the MySQL extension enabled. If this is your own server, you may need to just enable the "libmysql.so" extension in php.ini. If you do not have the MySQL extension installed, you will need to either use your distribution\'s package manager to install it, or you will have to compile PHP from source. If you compile PHP from source, please remember to use the "--with-mysql" configure option, and you will have to have the MySQL development files installed (they usually are). If this is not your server, please contact your hosting company and ask them to install the PHP MySQL extension.'); + run_test('return @ini_get(\'file_uploads\');', 'File upload support', 'It seems that your server does not support uploading files. Enano *requires* this functionality in order to work properly. Please ask your server administrator to set the "file_uploads" option in php.ini to "On".'); + run_test('return is_apache();', 'Apache HTTP Server', 'Apparently your server is running a web server other than Apache. Enano will work nontheless, but there are some known bugs with non-Apache servers, and the "fancy" URLs will not work properly. The "Standard URLs" option will be set on the website configuration page, only change it if you are absolutely certain that your server is running Apache.', true); + //run_test('return function_exists(\'finfo_file\');', 'Fileinfo PECL extension', 'The MIME magic PHP extension is used to determine the type of a file by looking for a certain "magic" string of characters inside it. This functionality is used by Enano to more effectively prevent malicious file uploads. The MIME magic option will be disabled by default.', true); + run_test('return is_writable(ENANO_ROOT.\'/config.php\');', 'Configuration file writable', 'It looks like the configuration file, config.php, is not writable. Enano needs to be able to write to this file in order to install.

If you are installing Enano on a SourceForge web site:
SourceForge mounts the web partitions read-only now, so you will need to use the project shell service to symlink config.php to a file in the /tmp/persistent directory.'); + run_test('return file_exists(\'/usr/bin/convert\');', 'ImageMagick support', 'Enano uses ImageMagick to scale images into thumbnails. Because ImageMagick was not found on your server, Enano will use the width= and height= attributes on the <img> tag to scale images. This can cause somewhat of a performance increase, but bandwidth usage will be higher, especially if you use high-resolution images on your site.

If you are sure that you have ImageMagick, you can set the location of the "convert" program using the administration panel after installation is complete.', true); + run_test('return is_writable(ENANO_ROOT.\'/cache/\');', 'Cache directory writable', 'Apparently the cache/ directory is not writable. Enano will still work, but you will not be able to cache thumbnails, meaning the server will need to re-render them each time they are requested. In some cases, this can cause a significant slowdown.', true); + run_test('return is_writable(ENANO_ROOT.\'/files/\');', 'File uploads directory writable', 'It seems that the directory where uploaded files are stored (' . ENANO_ROOT . '/files) cannot be written by the server. Enano will still function, but file uploads will not function, and will be disabled by default.', true); + echo '
'; + if(!$failed) + { + ?> + +
+ '; + run_test('return false;', 'Your server does not meet the requirements for Enano to run.', 'As a precaution, Enano will not install until the above requirements have been met. Contact your server administrator or hosting company and convince them to upgrade. Good luck.'); + echo '
'; + } + } + ?> + + +

Now we need some information that will allow Enano to contact your database server. Enano uses MySQL as a data storage backend, + and we need to have access to a MySQL server in order to continue.

+

If you do not have access to a MySQL server, and you are using your own server, you can download MySQL for free from + MySQL.com. Please note that, like Enano, MySQL is licensed under the GNU GPL. + If you need to modify MySQL and then distribute your modifications, you must either distribute them under the terms of the GPL + or purchase a proprietary license.

+ MySQL login information for this virtual appliance:

Database hostname: localhost
Database login: username "enano", password: "clurichaun" (without quotes)
Database name: enano_www1

'; + } + ?> +
+ + + + + + + + + + + + + +

Database information

Database hostname
This is the hostname (or sometimes the IP address) of your MySQL server. In many cases, this is "localhost".
Good/bad icon
Database name
The name of the actual database. If you don't already have a database, you can create one here, if you have the username and password of a MySQL user with administrative rights.
Good/bad icon
Database login
These fields should be the username and password of a user with "select", "insert", "update", "delete", "create table", and "replace" privileges for your database.
Good/bad icon

Optional information

Table prefix
The value that you enter here will be added to the beginning of the name of each Enano table. You may use lowercase letters (a-z), numbers (0-9), and underscores (_).
Good/bad icon
Database administrative login
If the MySQL database or username that you entered above does not exist yet, you can create them here, assuming that you have the login information for an administrative user (such as root). Leave these fields blank unless you need to use them.
Good/bad icon
MySQL versionMySQL version information will be checked when you click "Test Connection".Good/bad icon
Delete existing tables?
If this option is checked, all the tables that will be used by Enano will be dropped (deleted) before the schema is executed. Do NOT use this option unless specifically instructed to.
+ +
+ restart the installation.'; + $template->footer(); + exit; + } + unset($_POST['_cont']); + ?> + +
+ '."\n"; + } + ?> +

The next step is to enter some information about your website. You can always change this information later, using the administration panel.

+ + + + + + +
Website name
The display name of your website. Allowed characters are uppercase and lowercase letters, numerals, and spaces. This must not be blank or "Enano".
Good/bad icon
Website description
This text will be shown below the name of your website.
Good/bad icon
Copyright info
This should be a one-line legal notice that will appear at the bottom of all your pages.
Good/bad icon
Wiki mode
This feature allows people to create and edit pages on your site. Enano keeps a history of all page modifications, and you can protect pages to prevent editing.
URL scheme
Choose how the page URLs will look. Depending on your server configuration, you may need to select the first option. If you don't know, select the first option, and you can always change it later.
name="urlscheme" value="ugly" id="ugly">
name="urlscheme" value="short" id="short">
+ +
+ restart the installation.'; + $template->footer(); + exit; + } + unset($_POST['_cont']); + require('config.php'); + $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); + if ( isset($crypto_key) ) + { + $cryptkey = $crypto_key; + } + if(!isset($cryptkey) || ( isset($cryptkey) && strlen($cryptkey) != AES_BITS / 4) ) + { + $cryptkey = $aes->gen_readymade_key(); + $handle = @fopen(ENANO_ROOT.'/config.php', 'w'); + if(!$handle) + { + echo '

ERROR: Cannot open config.php for writing - exiting!

'; + $template->footer(); + exit; + } + fwrite($handle, ''); + fclose($handle); + } + ?> + +
+ '."\n"; + } + ?> +

Next, enter your desired username and password. The account you create here will be used to administer your site.

+ + + + + + + + + + + +
Administration username
The administration username you will use to log into your site.
This cannot be "anonymous" or in the form of an IP address.
Good/bad icon
Administration password:Good/bad icon
Enter it again to confirm:
Your e-mail address:Good/bad icon
+ Allow administrators to embed PHP code into pages:
+ Do not under any circumstances enable this option without reading these + important security implications. + +
+    + +
If your browser supports Javascript, the password you enter here will be encrypted with AES before it is sent to the server.
+ +
+ + + +
+ + restart the installation.'; + $template->footer(); + exit; + } + unset($_POST['_cont']); + ?> +
+ '."\n"; + } + ?> +

Enano is ready to install.

+

The wizard has finished collecting information and is ready to install the database schema. Please review the information below, + and then click the button below to install the database.

+
    +
  • Database hostname:
  • +
  • Database name:
  • +
  • Database user:
  • +
  • Database password: <hidden>
  • +
  • Site name:
  • +
  • Site description:
  • +
  • Administration username:
  • +
  • Cipher strength: -bit AES
    Cipher strength is defined in the file constants.php; if you desire to change the cipher strength, you may do so and then restart installation. Unless your site is mission-critical, changing the cipher strength is not necessary.
  • +
+ +
+ restart the installation.'; + $template->footer(); + exit; + } + switch($_POST['urlscheme']) + { + case "ugly": + default: + $cp = scriptPath.'/index.php?title='; + break; + case "short": + $cp = scriptPath.'/index.php/'; + break; + case "tiny": + $cp = scriptPath.'/'; + break; + } + function err($t) { global $template; echo $t; $template->footer(); exit; } + + echo 'Connecting to MySQL...'; + if($_POST['db_root_user'] != '') + { + $conn = mysql_connect($_POST['db_host'], $_POST['db_root_user'], $_POST['db_root_pass']); + if(!$conn) err('Error connecting to MySQL: '.mysql_error()); + $q = mysql_query('USE '.$_POST['db_name']); + if(!$q) + { + $q = mysql_query('CREATE DATABASE '.$_POST['db_name']); + if(!$q) err('Error initializing database: '.mysql_error()); + } + $q = mysql_query('GRANT ALL PRIVILEGES ON '.$_POST['db_name'].'.* TO \''.$_POST['db_user'].'\'@\'localhost\' IDENTIFIED BY \''.$_POST['db_pass'].'\' WITH GRANT OPTION;'); + if(!$q) err('Could not create the user account'); + $q = mysql_query('GRANT ALL PRIVILEGES ON '.$_POST['db_name'].'.* TO \''.$_POST['db_user'].'\'@\'%\' IDENTIFIED BY \''.$_POST['db_pass'].'\' WITH GRANT OPTION;'); + if(!$q) err('Could not create the user account'); + mysql_close($conn); + } + $conn = mysql_connect($_POST['db_host'], $_POST['db_user'], $_POST['db_pass']); + if(!$conn) err('Error connecting to MySQL: '.mysql_error()); + $q = mysql_query('USE '.$_POST['db_name']); + if(!$q) err('Error selecting database: '.mysql_error()); + echo 'done!
'; + + // Are we supposed to drop any existing tables? If so, do it now + if(isset($_POST['drop_tables'])) + { + echo 'Dropping existing Enano tables...'; + // Our list of tables included in Enano + $tables = Array( 'mdg_categories', 'mdg_comments', 'mdg_config', 'mdg_logs', 'mdg_page_text', 'mdg_session_keys', 'mdg_pages', 'mdg_users', 'mdg_users_extra', 'mdg_themes', 'mdg_buddies', 'mdg_banlist', 'mdg_files', 'mdg_privmsgs', 'mdg_sidebar', 'mdg_hits', 'mdg_search_index', 'mdg_groups', 'mdg_group_members', 'mdg_acl', 'mdg_search_cache', 'mdg_tags', 'mdg_page_groups', 'mdg_page_group_members' ); + $tables = implode(', ', $tables); + $tables = str_replace('mdg_', $_POST['table_prefix'], $tables); + $query_of_death = 'DROP TABLE '.$tables.';'; + mysql_query($query_of_death); // We won't check for errors here because if this operation fails it probably means the tables didn't exist + echo 'done!
'; + } + + $cacheonoff = is_writable(ENANO_ROOT.'/cache/') ? '1' : '0'; + + echo 'Decrypting administration password...'; + + $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); + + if ( !empty($_POST['crypt_data']) ) + { + require('config.php'); + if ( !isset($cryptkey) ) + { + echo 'failed!
Cannot get the key from config.php'; + break; + } + $key = hexdecode($cryptkey); + + $dec = $aes->decrypt($_POST['crypt_data'], $key, ENC_HEX); + + } + else + { + $dec = $_POST['admin_pass']; + } + echo 'done!
Generating '.AES_BITS.'-bit AES private key...'; + $privkey = $aes->gen_readymade_key(); + $pkba = hexdecode($privkey); + $encpass = $aes->encrypt($dec, $pkba, ENC_HEX); + + echo 'done!
Preparing for schema execution...'; + $schema = file_get_contents('schema.sql'); + $schema = str_replace('{{SITE_NAME}}', mysql_real_escape_string($_POST['sitename'] ), $schema); + $schema = str_replace('{{SITE_DESC}}', mysql_real_escape_string($_POST['sitedesc'] ), $schema); + $schema = str_replace('{{COPYRIGHT}}', mysql_real_escape_string($_POST['copyright'] ), $schema); + $schema = str_replace('{{ADMIN_USER}}', mysql_real_escape_string($_POST['admin_user'] ), $schema); + $schema = str_replace('{{ADMIN_PASS}}', mysql_real_escape_string($encpass ), $schema); + $schema = str_replace('{{ADMIN_EMAIL}}', mysql_real_escape_string($_POST['admin_email']), $schema); + $schema = str_replace('{{ENABLE_CACHE}}', mysql_real_escape_string($cacheonoff ), $schema); + $schema = str_replace('{{REAL_NAME}}', '', $schema); + $schema = str_replace('{{TABLE_PREFIX}}', $_POST['table_prefix'], $schema); + $schema = str_replace('{{VERSION}}', ENANO_VERSION, $schema); + $schema = str_replace('{{ADMIN_EMBED_PHP}}', $_POST['admin_embed_php'], $schema); + // Not anymore!! :-D + // $schema = str_replace('{{BETA_VERSION}}', ENANO_BETA_VERSION, $schema); + + if(isset($_POST['wiki_mode'])) + { + $schema = str_replace('{{WIKI_MODE}}', '1', $schema); + } + else + { + $schema = str_replace('{{WIKI_MODE}}', '0', $schema); + } + + // Build an array of queries + $schema = explode("\n", $schema); + + foreach ( $schema as $i => $sql ) + { + $query =& $schema[$i]; + $t = trim($query); + if ( empty($t) || preg_match('/^(\#|--)/i', $t) ) + { + unset($schema[$i]); + unset($query); + } + } + + $schema = array_values($schema); + $schema = implode("\n", $schema); + $schema = explode(";\n", $schema); + + foreach ( $schema as $i => $sql ) + { + $query =& $schema[$i]; + if ( substr($query, ( strlen($query) - 1 ), 1 ) != ';' ) + { + $query .= ';'; + } + } + + // echo '
' . htmlspecialchars(print_r($schema, true)) . '
'; + // break; + + echo 'done!
Executing schema.sql...'; + + // OK, do the loop, baby!!! + foreach($schema as $q) + { + $r = mysql_query($q, $conn); + if(!$r) err('Error during mainstream installation: '.mysql_error()); + } + + echo 'done!
Writing configuration files...'; + if($_POST['urlscheme']=='tiny') + { + $ht = fopen(ENANO_ROOT.'/.htaccess', 'a+'); + if(!$ht) err('Error opening file .htaccess for writing'); + fwrite($ht, ' +RewriteEngine on +RewriteCond %{REQUEST_FILENAME} !-d +RewriteCond %{REQUEST_FILENAME} !-f +RewriteRule ^(.+) '.scriptPath.'/index.php?title=$1 [L,QSA] +RewriteRule \.(php|html|gif|jpg|png|css|js)$ - [L] +'); + fclose($ht); + } + + $config_file = ''; + + $cf_handle = fopen(ENANO_ROOT.'/config.php', 'w'); + if(!$cf_handle) err('Couldn\'t open file config.php for writing'); + fwrite($cf_handle, $config_file); + fclose($cf_handle); + + echo 'done!
Starting the Enano API...'; + + $template_bak = $template; + + // Get Enano loaded + $_GET['title'] = 'Main_Page'; + require('includes/common.php'); + + // We need to be logged in (with admin rights) before logs can be flushed + $session->login_without_crypto($_POST['admin_user'], $dec, false); + + // Now that login cookies are set, initialize the session manager and ACLs + $session->start(); + $paths->init(); + + unset($template); + $template =& $template_bak; + + echo 'done!
Initializing logs...'; + + $q = $db->sql_query('INSERT INTO ' . $_POST['table_prefix'] . 'logs(log_type,action,time_id,date_string,author,page_text,edit_summary) VALUES(\'security\', \'install_enano\', ' . time() . ', \'' . date('d M Y h:i a') . '\', \'' . mysql_real_escape_string($_POST['admin_user']) . '\', \'' . mysql_real_escape_string(ENANO_VERSION) . '\', \'' . mysql_real_escape_string($_SERVER['REMOTE_ADDR']) . '\');', $conn); + if ( !$q ) + err('Error setting up logs: '.$db->get_error()); + + if ( !$session->get_permissions('clear_logs') ) + { + echo '
Error: session manager won\'t permit flushing logs, these is a bug.'; + break; + } + + // unset($session); + // $session = new sessionManager(); + // $session->start(); + + PageUtils::flushlogs('Main_Page', 'Article'); + + echo 'done!

Installation of Enano is complete.

Review any warnings above, and then click here to finish the installation.'; + + // echo ''; + + break; + case "finish": + echo '

Congratulations!

+

You have finished installing Enano on this server.

+

Now what?

+

Click the link below to see the main page for your website. Where to go from here:

+
    +
  • The first thing you should do is log into your site using the Log in link on the sidebar.
  • +
  • Go into the Administration panel, expand General, and click General Configuration. There you will be able to configure some basic information about your site.
  • +
  • Visit the Enano Plugin Gallery to download and use plugins on your site.
  • +
  • Periodically create a backup of your database and filesystem, in case something goes wrong. This should be done at least once a week – more for wiki-based sites.
  • +
  • Hire some moderators, to help you keep rowdy users tame.
  • +
  • Tell the Enano team what you think.
  • +
  • Spread the word about Enano by adding a link to the Enano homepage on your sidebar! You can enable this option in the General Configuration section of the administration panel.
  • +
+

Go to your website...

'; + break; +} +$template->footer(); + +?> diff -r ebe99e82a59a -r 473cc747022a plugins/SpecialAdmin.php --- a/plugins/SpecialAdmin.php Sat Oct 20 21:44:13 2007 -0400 +++ b/plugins/SpecialAdmin.php Fri Oct 26 19:28:54 2007 -0400 @@ -4,7 +4,7 @@ Plugin URI: http://enanocms.org/ Description: Provides the page Special:Administration, which is the AJAX frontend to the various Admin pagelets. This plugin cannot be disabled. Author: Dan Fuhry -Version: 1.0.1 +Version: 1.0.2 Author URI: http://enanocms.org/ */ @@ -3224,7 +3224,10 @@ $c = ($template->fetch_block($row['block_content'])) ? $template->fetch_block($row['block_content']) : 'Can\'t find plugin block'; break; } - $t = $template->tplWikiFormat($row['block_name']); + $block_name = $template->tplWikiFormat($row['block_name']); + if ( empty($block_name) ) + $block_name = '<Unnamed>'; + $t = '' . $block_name . ''; if($row['item_enabled'] == 0) $t .= ' (disabled)'; else $t .= ' '; $side = ( $row['sidebar_id'] == SIDEBAR_LEFT ) ? SIDEBAR_RIGHT : SIDEBAR_LEFT; diff -r ebe99e82a59a -r 473cc747022a plugins/SpecialGroups.php --- a/plugins/SpecialGroups.php Sat Oct 20 21:44:13 2007 -0400 +++ b/plugins/SpecialGroups.php Fri Oct 26 19:28:54 2007 -0400 @@ -50,10 +50,10 @@ { die_friendly('Error', '

Hacking attempt

'); } - $q = $db->sql_query('SELECT group_name,group_type FROM '.table_prefix.'groups WHERE group_id=' . $gid . ';'); + $q = $db->sql_query('SELECT group_name,group_type,system_group FROM '.table_prefix.'groups WHERE group_id=' . $gid . ';'); if ( !$q ) { - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); } $row = $db->fetchrow(); $db->free_result(); @@ -70,7 +70,7 @@ ORDER BY m.is_mod DESC,u.username ASC;'); if ( !$q ) { - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); } $is_member = false; @@ -127,11 +127,29 @@ { die_friendly('ERROR', '

Hacking attempt

'); } - $q = $db->sql_query('UPDATE '.table_prefix.'groups SET group_type=' . intval($_POST['group_state']) . ' WHERE group_id=' . intval( $_POST['group_id']) . ';'); - if (!$q) - $db->_die(); - $row['group_type'] = $_POST['group_state']; - echo '
The group state was updated.
'; + $q = $db->sql_query('SELECT group_type, system_group FROM '.table_prefix.'groups WHERE group_id=' . intval( $_POST['group_id']) . ';'); + if ( !$q ) + $db->_die('SpecialGroups.php, line ' . __LINE__); + $error = false; + if ( $db->numrows() < 1 ) + { + echo '
The group you selected does not exist.
'; + $error = true; + } + $r = $db->fetchrow(); + if ( $r['system_group'] == 1 && ( intval($_POST['group_state']) == GROUP_OPEN || intval($_POST['group_state']) == GROUP_REQUEST ) ) + { + echo '
Because this is a system group, you can\'t make it open or allow membership requests.
'; + $error = true; + } + if ( !$error ) + { + $q = $db->sql_query('UPDATE '.table_prefix.'groups SET group_type=' . intval($_POST['group_state']) . ' WHERE group_id=' . intval( $_POST['group_id']) . ';'); + if (!$q) + $db->_die('SpecialGroups.php, line ' . __LINE__); + $row['group_type'] = $_POST['group_state']; + echo '
The group state was updated.
'; + } break; case 'adduser': $username = $_POST['add_username']; @@ -139,7 +157,7 @@ $q = $db->sql_query('SELECT user_id FROM '.table_prefix.'users WHERE username=\'' . $db->escape($username) . '\';'); if (!$q) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); if ($db->numrows() < 1) { echo '
The username you entered could not be found.
'; @@ -152,7 +170,7 @@ // Check if the user is already in the group, and if so, only update modship $q = $db->sql_query('SELECT member_id,is_mod FROM '.table_prefix.'group_members WHERE user_id=' . $uid . ' AND group_id=' . intval($_POST['group_id']) . ';'); if ( !$q ) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); if ( $db->numrows() > 0 ) { $r = $db->fetchrow(); @@ -160,7 +178,7 @@ { $q = $db->sql_query('UPDATE '.table_prefix.'group_members SET is_mod=' . $mod . ' WHERE member_id=' . $r['member_id'] . ';'); if ( !$q ) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); foreach ( $members as $i => $member ) { if ( $member['member_id'] == $r['member_id'] ) @@ -179,7 +197,7 @@ $q = $db->sql_query('INSERT INTO '.table_prefix.'group_members(group_id,user_id,is_mod) VALUES(' . intval($_POST['group_id']) . ', ' . $uid . ', ' . $mod . ');'); if (!$q) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); echo '
The user "' . $username . '" has been added to this usergroup.
'; $q = $db->sql_query('SELECT u.username,u.email,u.reg_time,m.member_id,m.user_id,m.is_mod,COUNT(c.comment_id) @@ -195,7 +213,7 @@ ORDER BY m.is_mod DESC,u.username ASC LIMIT 1;'); if ( !$q ) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); $r = $db->fetchrow(); $members[] = $r; @@ -209,7 +227,7 @@ { $q = $db->sql_query('DELETE FROM '.table_prefix.'group_members WHERE member_id=' . $member['member_id'] . ';'); if (!$q) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); unset($members[$i]); } } @@ -223,7 +241,7 @@ { $q = $db->sql_query('UPDATE '.table_prefix.'group_members SET pending=0 WHERE member_id=' . $member['member_id'] . ';'); if (!$q) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); $members[] = $member; unset($pending[$i]); continue; @@ -232,7 +250,7 @@ { $q = $db->sql_query('DELETE FROM '.table_prefix.'group_members WHERE member_id=' . $member['member_id'] . ';'); if (!$q) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); unset($pending[$i]); } } @@ -246,7 +264,7 @@ { $q = $db->sql_query('INSERT INTO '.table_prefix.'group_members(group_id,user_id) VALUES(' . $gid . ', ' . $session->user_id . ');'); if (!$q) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); echo '
You have been added to this group.
'; $q = $db->sql_query('SELECT u.username,u.email,u.reg_time,m.member_id,m.user_id,m.is_mod,COUNT(c.comment_id) @@ -262,7 +280,7 @@ ORDER BY m.is_mod DESC,u.username ASC LIMIT 1;'); if ( !$q ) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); $r = $db->fetchrow(); $members[] = $r; @@ -274,7 +292,7 @@ { $q = $db->sql_query('INSERT INTO '.table_prefix.'group_members(group_id,user_id,pending) VALUES(' . $gid . ', ' . $session->user_id . ', 1);'); if (!$q) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); echo '
A request has been sent to the moderator(s) of this group to add you.
'; } @@ -305,7 +323,7 @@ Group name: - ' . $row['group_name'] . ' + ' . $row['group_name'] . ( $row['system_group'] == 1 ? ' (system group)' : '' ) . ' Membership status: diff -r ebe99e82a59a -r 473cc747022a plugins/SpecialPageFuncs.php --- a/plugins/SpecialPageFuncs.php Sat Oct 20 21:44:13 2007 -0400 +++ b/plugins/SpecialPageFuncs.php Fri Oct 26 19:28:54 2007 -0400 @@ -109,6 +109,17 @@ exit; } + if ( substr($urlname, 0, 8) == 'Project:' ) + { + $template->header(); + + echo '

The page could not be created.

The page title can\'t start with "Project:" because this prefix is reserved for a parser shortcut.

'; + + $template->footer(); + $db->close(); + + exit; + } $tn = $paths->nslist[$_POST['namespace']] . $urlname; if ( isset($paths->pages[$tn]) ) diff -r ebe99e82a59a -r 473cc747022a upgrade.php diff -r ebe99e82a59a -r 473cc747022a upgrade.sql