function removeXss($string)
{
if (is_array($string)) {
$return = array();
foreach ($string as $key => $val) {
$return[removeXss($key)] = removeXss($val);
}
return $return;
}
#$string = preg_replace('/<script/im','<script',$string);
$string = htmlspecialchars($string);
return $string;
}
}
if (isset($_GET['listid'])) {
$listid = sprintf('%d', $_GET['listid']);
} else {
$listid = 0;
}
if (isset($_GET['find'])) {
if (!isset($_GET['findby'])) {
$_GET['findby'] = '';
}
if ($_GET['find'] == 'NULL') {
$_SESSION['userlistfilter']['find'] = '';
$_SESSION['userlistfilter']['findby'] = '';
} else {
$_SESSION['userlistfilter']['find'] = removeXss($_GET['find']);
$_SESSION['userlistfilter']['findby'] = removeXss($_GET['findby']);
}
} else {
$_SESSION['userlistfilter']['find'] = '';
$_SESSION['userlistfilter']['findby'] = '';
}
$find = $_SESSION['userlistfilter']['find'];
$findby = $_SESSION['userlistfilter']['findby'];
if (!$findby) {
$findby = 'email';
}
$findtables = '';
$findbyselect = '';
$findfield = '';
$findfieldname = '';
$find_url = '';
<?php
ob_start();
$er = error_reporting(0);
require_once dirname(__FILE__) . '/admin/inc/unregister_globals.php';
require_once dirname(__FILE__) . '/admin/inc/magic_quotes.php';
## none of our parameters can contain html for now
$_GET = removeXss($_GET);
$_POST = removeXss($_POST);
$_REQUEST = removeXss($_REQUEST);
$_COOKIE = removeXss($_COOKIE);
if (isset($_SERVER['ConfigFile']) && is_file($_SERVER['ConfigFile'])) {
include $_SERVER['ConfigFile'];
} elseif (is_file('config/config.php')) {
include 'config/config.php';
} else {
print "Error, cannot find config file\n";
exit;
}
require_once dirname(__FILE__) . '/admin/init.php';
$GLOBALS['database_module'] = basename($GLOBALS['database_module']);
$GLOBALS['language_module'] = basename($GLOBALS['language_module']);
require_once dirname(__FILE__) . '/admin/' . $GLOBALS['database_module'];
# load default english and language
include_once dirname(__FILE__) . '/texts/english.inc';
# Allow customisation per installation
if (is_file($_SERVER['DOCUMENT_ROOT'] . '/' . $GLOBALS['language_module'])) {
include_once $_SERVER['DOCUMENT_ROOT'] . '/' . $GLOBALS['language_module'];
}
include_once dirname(__FILE__) . '/admin/languages.php';
require_once dirname(__FILE__) . '/admin/defaultconfig.php';
<?php
ob_start();
$er = error_reporting(0);
require_once dirname(__FILE__) . '/admin/inc/unregister_globals.php';
require_once dirname(__FILE__) . '/admin/inc/magic_quotes.php';
## none of our parameters can contain html for now
$_GET = removeXss($_GET);
$_POST = removeXss($_POST);
$_REQUEST = removeXss($_REQUEST);
if (isset($_SERVER['ConfigFile']) && is_file($_SERVER['ConfigFile'])) {
include $_SERVER['ConfigFile'];
} elseif (is_file('config/config.php')) {
include 'config/config.php';
} else {
print "Error, cannot find config file\n";
exit;
}
require_once dirname(__FILE__) . '/admin/init.php';
$GLOBALS['database_module'] = basename($GLOBALS['database_module']);
$GLOBALS['language_module'] = basename($GLOBALS['language_module']);
require_once dirname(__FILE__) . '/admin/' . $GLOBALS['database_module'];
# load default english and language
include_once dirname(__FILE__) . '/texts/english.inc';
# Allow customisation per installation
if (is_file($_SERVER['DOCUMENT_ROOT'] . '/' . $GLOBALS['language_module'])) {
include_once $_SERVER['DOCUMENT_ROOT'] . '/' . $GLOBALS['language_module'];
}
include_once dirname(__FILE__) . '/admin/languages.php';
require_once dirname(__FILE__) . '/admin/defaultconfig.php';
require_once dirname(__FILE__) . '/admin/connect.php';
case "all":
$subselect = "";
break;
case "none":
default:
$subselect = " where id = 0";
break;
}
if (isset($_GET['id'])) {
$id = sprintf('%d', $_GET['id']);
} else {
$id = 0;
}
if (isset($_POST["save"]) || isset($_POST["activate"]) || isset($_POST["deactivate"])) {
$owner = $_POST["owner"];
$title = removeXss($_POST['title']);
if (!$owner) {
$owner = $_SESSION['logindetails']['id'];
}
if ($id) {
Sql_Query(sprintf('update %s set title = "%s",owner = %d where id = %d', $tables["subscribepage"], $title, $owner, $id));
} else {
Sql_Query(sprintf('insert into %s (title,owner) values("%s",%d)', $tables["subscribepage"], $title, $owner));
$id = Sql_Insert_id();
}
Sql_Query(sprintf('delete from %s where id = %d', $tables["subscribepage_data"], $id));
foreach (array("title", "language_file", "intro", "header", "footer", "thankyoupage", "button", "htmlchoice", "emaildoubleentry") as $item) {
Sql_Query(sprintf('insert into %s (name,id,data) values("%s",%d,"%s")', $tables["subscribepage_data"], $item, $id, $_POST[$item]));
}
foreach (array("subscribesubject", "subscribemessage", "confirmationsubject", "confirmationmessage") as $item) {
SaveConfig("{$item}:{$id}", stripslashes($_POST[$item]), 0);
<?php
require_once 'accesscheck.php';
$find_url = '';
$where = '';
$filter = '';
$exclude = '';
$s = 0;
if (isset($_GET['s'])) {
$s = sprintf('%d', $_GET['s']);
}
$start = !empty($_GET['start']) ? sprintf('%d', $_GET['start']) : 0;
if (isset($_GET['filter'])) {
$filter = removeXss($_GET['filter']);
if (isset($_GET['exclude'])) {
$exclude = $_GET['exclude'];
$where = ' where page not like "%' . $filter . '%" and entry not like "%' . $filter . '%"';
$exclude_url = '&exclude=' . sprintf('%d', $_GET["exclude"]);
} else {
$where = ' where page like "%' . $filter . '%" or entry like "%' . $filter . '%"';
$exclude_url = '';
}
$find_url = '&filter=' . urlencode($filter) . $exclude_url;
}
$order = ' order by entered desc, id desc';
if (isset($_GET['delete']) && $_GET['delete']) {
# delete the index in delete
$delete = sprintf('%d', $_GET['delete']);
$_SESSION['action_result'] = $GLOBALS['I18N']->get('Deleting') . ' ' . $delete . "..\n";
if ($require_login && !isSuperUser()) {
}
if (isset($_GET['listid'])) {
$listid = sprintf('%d', $_GET['listid']);
} else {
$listid = 0;
}
if (isset($_GET["find"])) {
if (!isset($_GET['findby'])) {
$_GET['findby'] = '';
}
if ($_GET["find"] == "NULL") {
$_SESSION["userlistfilter"]["find"] = "";
$_SESSION["userlistfilter"]["findby"] = "";
} else {
$_SESSION["userlistfilter"]["find"] = removeXss($_GET["find"]);
$_SESSION["userlistfilter"]["findby"] = removeXss($_GET["findby"]);
}
} else {
$_SESSION["userlistfilter"]["find"] = "";
$_SESSION["userlistfilter"]["findby"] = "";
}
$find = $_SESSION["userlistfilter"]["find"];
$findby = $_SESSION["userlistfilter"]["findby"];
if (!$findby) {
$findby = "email";
}
# hmm interesting, if they select a findby but not a find, use the Sql wildcard:
if ($findby && !$find) {
# this is very slow, so instead erase the findby
# $find = '%';
$findby = '';
function saveFeedback()
{
if (load('string')) {
$fb_time = removeXss($this->_post('fbtime', ''));
$fb_type = strtolower(removeXss($this->_post('fbtype', '')));
$fb_result = removeXss($this->_post('fbresult', ''));
$fb_content = trim(removeXss($this->_post('feedbackContent', '')));
$fb_upload = trim($this->_post('fb_upload', ''));
$feedbackConfig = C('feedback');
if (!isHave($feedbackConfig['type']) || !is_array($feedbackConfig['type']) || !isHave($feedbackConfig['maxLen']) || !is_numeric($feedbackConfig['maxLen'])) {
return $this->JsonReturn('配置信息错误');
}
if (!preg_match('/^[_a-z]+$/', $fb_type)) {
return $this->JsonReturn('反馈类型错误');
}
if (!isHave($feedbackConfig['type'][$fb_type])) {
return $this->JsonReturn('无该反馈类型');
}
if (!preg_match('/^[_a-z]+$/', $fb_result)) {
return $this->JsonReturn('请选择正确的处理结果');
}
if (!isHave($feedbackConfig['result'][$fb_result])) {
return $this->JsonReturn('无该处理结果');
}
if (!strtotime($fb_time)) {
return $this->JsonReturn('时间错误');
}
if (strlen($fb_content) <= 0) {
return $this->JsonReturn('请填写反馈内容,最大长度2000字符');
}
if (strlen($fb_content) >= $feedbackConfig['maxLen']) {
return $this->JsonReturn('反馈内容超出限制');
}
/* TODO
* 对于upload应该怎么样检查
*/
$feedback = array('worker_uid' => steadmin::$adminInfo['user_id'], 'type' => $feedbackConfig['type'][$fb_type]['id'], 'result' => $feedbackConfig['result'][$fb_result]['id'], 'content' => $fb_content, 'fb_time' => inTime($fb_time), 'fb_upload' => $fb_upload);
if (D('feedback')->save($feedback)) {
return $this->JsonReturn('保存成功,可继续添加反馈', null, 1);
} else {
return $this->JsonReturn('保存失败');
}
} else {
$this->JsonReturn('加载string函数库时发生了错误');
}
}
function logEvent($msg)
{
global $tables;
if (isset($GLOBALS['page'])) {
$p = $GLOBALS['page'];
} elseif (isset($_GET['page'])) {
$p = $_GET['page'];
} elseif (isset($_GET['p'])) {
$p = $_GET['p'];
} else {
$p = 'unknown page';
}
$p = removeXss($p);
if (Sql_Table_Exists($tables["eventlog"])) {
Sql_Query(sprintf('insert into %s (entered,page,entry) values(now(),"%s","%s")', $tables["eventlog"], sql_escape($p), htmlspecialchars(sql_escape($msg))));
}
}
function wordsFilter($content = '', $delhtmltag = false)
{
if (empty($content)) {
return '';
}
if (!$delhtmltag) {
return htmlspecialchars(strip_tags($content));
} else {
load('string.fun');
return removeXss($content);
}
}
$subselect = " where id = 0";
break;
}
}
if ($id) {
echo "<br />" . PageLink2("members", $GLOBALS['I18N']->get('Members of this list'), "id={$id}");
}
echo "<hr />";
if (isset($_POST["save"]) && isset($_POST["listname"]) && $_POST["listname"]) {
if ($GLOBALS["require_login"] && !isSuperUser()) {
$owner = $_SESSION["logindetails"]["id"];
}
if (!isset($_POST["active"])) {
$_POST["active"] = 0;
}
$_POST['listname'] = removeXss($_POST['listname']);
if ($id) {
$query = sprintf('update %s set name="%s",description="%s",
active=%d,listorder=%d,prefix = "%s", owner = %d, rssfeed = "%s"
where id=%d %s', $tables["list"], addslashes($_POST["listname"]), sql_escape($_POST["description"]), $_POST["active"], $_POST["listorder"], sql_escape($_POST["prefix"]), sql_escape($_POST["owner"]), sql_escape($_POST["rssfeed"]), $id, $subselect_and);
} else {
$query = sprintf('insert into %s
(name,description,entered,listorder,owner,prefix,rssfeed,active)
values("%s","%s",now(),%d,%d,"%s","%s",%d)', $tables["list"], sql_escape($_POST["listname"]), sql_escape($_POST["description"]), $_POST["listorder"], sql_escape($_POST["owner"]), sql_escape($_POST["prefix"]), sql_escape($_POST["rssfeed"]), $_POST["active"]);
}
# print $query;
$result = Sql_Query($query);
if (!$id) {
$id = sql_insert_id();
}
Redirect('list');
<?php
ob_start();
$er = error_reporting(0);
require_once dirname(__FILE__) . '/admin/commonlib/lib/unregister_globals.php';
require_once dirname(__FILE__) . '/admin/commonlib/lib/magic_quotes.php';
require_once dirname(__FILE__) . '/admin/init.php';
## none of our parameters can contain html for now
$_GET = removeXss($_GET);
$_POST = removeXss($_POST);
$_REQUEST = removeXss($_REQUEST);
$_SERVER = removeXss($_SERVER);
if (isset($_SERVER["ConfigFile"]) && is_file($_SERVER["ConfigFile"])) {
# print '<!-- using '.$_SERVER["ConfigFile"].'-->'."\n";
include $_SERVER["ConfigFile"];
} elseif (isset($_ENV["CONFIG"]) && is_file($_ENV["CONFIG"])) {
# print '<!-- using '.$_ENV["CONFIG"].'-->'."\n";
include $_ENV["CONFIG"];
} elseif (is_file("config/config.php")) {
# print '<!-- using config/config.php -->'."\n";
include "config/config.php";
} else {
print "Error, cannot find config file\n";
exit;
}
if (0) {
#isset($GLOBALS["developer_email"]) && $GLOBALS['show_dev_errors']) {
error_reporting(E_ALL);
} else {
error_reporting(0);
}
$ls->addButton($GLOBALS['I18N']->get("reload"), $baseurl . '&tab=' . $_GET["tab"]);
}
$existing_criteria = $ls->display();
} else {
if ($messageid) {
Sql_query(sprintf('update %s set userselection = "" where id = %d', $tables["message"], $messageid));
}
}
}
// end of define STACKED_ATTRIBUTES
##############################
# Stacked attributes, end
##############################
// Pull in $footer variable from post
if (isset($_POST["footer"])) {
$footer = removeXss($_POST["footer"]);
}
// If $id wasn't passed in (if it was passed, then $_POST should have
// the database value in it already, and if it's empty, then we should
// leave it empty) and $footer is blank, load the default.
if (!$footer) {
$footer = getConfig("messagefooter");
}
echo $errormsg;
if (!$done) {
if (ALLOW_ATTACHMENTS) {
$enctype = 'enctype="multipart/form-data"';
} else {
$enctype = '';
}
#$baseurl = sprintf('./?page=%s&id=%d',$_GET["page"],$_GET["id"]);
