define('CCMS_PERFORM_MINIMAL_INIT', true); } // Define default location if (!defined('BASE_PATH')) { $base = str_replace('\\', '/', dirname(dirname(dirname(dirname(dirname(__FILE__)))))); define('BASE_PATH', $base); } // Include general configuration /*MARKER*/ require_once BASE_PATH . '/lib/sitemap.php'; // Set default variables $do = getGETparam4IdOrNumber('do'); $status = getGETparam4IdOrNumber('status'); $status_message = getGETparam4DisplayHTML('msg'); // Open recordset for specified user $userID = getGETparam4Number('userID'); if ($userID > 0) { $row = $db->SelectSingleRow($cfg['db_prefix'] . 'users', array('userID' => MySQL::SQLValue($userID, MySQL::SQLVALUE_NUMBER))); if (!$row) { $db->Kill($ccms['lang']['system']['error_general']); } } else { die($ccms['lang']['system']['error_general']); } if (isset($_SESSION['rc1']) && !empty($_SESSION['rc2']) && checkAuth()) { ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <title>Edit users</title>
/* make darn sure only authenticated users can get past this point in the code */ if (empty($_SESSION['ccms_userID']) || empty($_SESSION['ccms_userName']) || !checkAuth()) { // this situation should've caught inside sitemap.php-->security.inc.php above! This is just a safety measure here. die_with_forged_failure_msg(__FILE__, __LINE__); // $ccms['lang']['auth']['featnotallowed'] } // Prevent PHP warning by setting default (null) values $do_action = getGETparam4IdOrNumber('action'); /** * * Generate the WYSIWYG or code editor for editing purposes (prev. editor.php) * */ if ($do_action == 'edit' && $_SERVER['REQUEST_METHOD'] == 'GET' && checkAuth()) { // Set the necessary variables $page_id = getGETparam4Number('page_id'); $row = $db->SelectSingleRow($cfg['db_prefix'] . 'pages', array('page_id' => MySQL::SQLValue($page_id, MySQL::SQLVALUE_NUMBER))); if (!$row) { $db->Kill(); } $owner = explode('||', strval($row->user_ids)); if ($perm->is_level_okay('managePageEditing', $_SESSION['ccms_userLevel']) && ($row->iscoding != 'Y' || $perm->is_level_okay('managePageCoding', $_SESSION['ccms_userLevel'])) && (!in_array($row->urlpage, $cfg['restrict']) || in_array($_SESSION['ccms_userID'], $owner))) { $iscoding = $row->iscoding; $active = $row->published; $name = $row->urlpage; $filename = BASE_PATH . '/content/' . $name . '.php'; if (0) { // Check for editor.css in template directory $template = $row->variant; } // Check for filename
* This produces the following query as a result: * * SELECT COUNT(commentID) FROM ccms_modcomment WHERE pageID = 'xyz' * * NOTE that this type of usage assumes the 'raw string' has been correctly * processed by the caller, i.e. all SQL injection attack prevention precautions * have been taken. (Well, /hardcoding/ it like this is the safest possible * thing right there, so no worries, mate! ;-) ) */ $total = $db->SelectSingleValue($cfg['db_prefix'] . 'modcomment', array('page_id' => MySQL::SQLValue($page_id, MySQL::SQLVALUE_NUMBER)), 'COUNT(commentID)'); if ($db->ErrorNumber()) { $db->Kill(); } $limit = getGETparam4Number('offset') * $max; // feature: if a comment 'bookmark' was specified, jump to the matching 'page'... $commentID = getGETparam4Number('commentID'); if ($commentID > 0) { $limit = $commentID - 1; $limit -= $limit % $max; } if ($limit >= $total) { $limit = $total - 1; } if ($limit < 0) { $limit = 0; } $offset = intval($limit / $max); $limit4sql = $offset * $max . ',' . $max; // Set front-end language SetUpLanguageAndLocale($rsLoc); // Load recordset
} // Define default location if (!defined('BASE_PATH')) { $base = str_replace('\\', '/', dirname(dirname(dirname(dirname(__FILE__))))); define('BASE_PATH', $base); } // Include general configuration /*MARKER*/ require_once BASE_PATH . '/admin/includes/security.inc.php'; // when session expires or is overridden, the login page won't show if we don't include this one, but a cryptic error will be printed. if (empty($cfg['MT_FileManager_language']) || empty($cfg['tinymce_language'])) { die("INTERNAL LANGUAGE INIT ERROR!"); } $do = getGETparam4IdOrNumber('do'); // Open recordset for specified user $newsID = getGETparam4Number('newsID'); $page_id = getGETparam4IdOrNumber('page_id'); if (!(checkAuth() && $perm->is_level_okay('manageModNews', $_SESSION['ccms_userLevel']))) { die("No external access to file"); } if (!$page_id) { die($ccms['lang']['system']['error_forged'] . ' (' . __FILE__ . ', ' . __LINE__ . ')'); } if ($newsID && $page_id) { $news = $db->QuerySingleRow("SELECT * FROM `" . $cfg['db_prefix'] . "modnews` m LEFT JOIN `" . $cfg['db_prefix'] . "users` u ON m.userID = u.userID WHERE newsID = " . MySQL::SQLValue($newsID, MySQL::SQLVALUE_NUMBER) . " AND page_id = " . MySQL::SQLValue($page_id, MySQL::SQLVALUE_NUMBER)); if (!$news) { $db->Kill(); } } $textarea4teaser_id = str2variablename('newstease_' . $page_id . (!empty($newsID) ? '_' . $newsID : '')); $textarea4article_id = str2variablename('newsarticle_' . $page_id . (!empty($newsID) ? '_' . $newsID : ''));