public static function cleanData ($data, $type = 'standard')
{
$magicquotes = (get_magic_quotes_gpc() == 1 ? true : false);
if (is_array($data))
{
foreach ($data as $k => $v)
{
$data[$k] = janitor::cleanData($v, $type);
}
} else
{
# Actual processing
switch ($type)
{
case "standard":
$data = ($magicquotes ? $data : addslashes($data));
break;
case "sql":
$data = ($magicquotes ? database::escape(stripslashes($data)) : database::escape($data));
break;
case "html":
$data = htmlentities(
($magicquotes ? database::escape(stripslashes($data)) : database::escape($data)));
break;
case "integer":
$data = intval($data);
break;
}
}
return $data;
}
/**
* @en SQL query escaping
* @ru Экранирование части SQL запроса
*
* @param mixed $var
*
* @return string
*/
public function escape($var)
{
return $this->database->escape($var);
}
$deleteQuery = "DELETE FROM files WHERE subq_id='" . $sq_id . "'";
$databaseObj->send_sql($deleteQuery);
$deletesubque = "DELETE FROM submissionqueue WHERE subq_id='" . $sq_id . "'";
$databaseObj->send_sql($deletesubque);
}
if (isset($_POST['hid'])) {
$course_id = addslashes(strip_tags($_POST['hid']));
// Connect to the database
$db = new database();
$db->setup(DB_USER, DB_PASS, DB_HOST, DB_NAME);
$flag = false;
$subq_id = 0;
$s_id = addslashes(strip_tags($_SESSION['cwid']));
$wrongtype = 0;
foreach ($_FILES as $x => $x_value) {
$mime = $databaseObj->escape($_FILES[$x]['type']);
if ($mime != 'application/pdf') {
$databaseObj->__destruct();
header('location:waiver.php');
}
}
foreach ($_FILES as $x => $x_value) {
if (isset($_FILES[$x])) {
// Make sure the file was sent without errors
if ($_FILES[$x]['error'] == 0) {
/*echo $_FILES['uploaded_file']['name'];
echo $_FILES['uploaded_file']['type'];
echo file_get_contents($_FILES ['uploaded_file']['tmp_name']);*/
// Gather all required data
if ($flag == false) {
$q = "INSERT INTO submissionqueue (s_id, time_stamp, status, comments) VALUES ('{$s_id}', '" . time() . "', 'Pending', ' ')";
function getSuggestions($keyword)
{
//get DB
if (defined('_JEXEC')) {
$dbi = JDatabase::getInstance(array('driver' => DB_DRIVER, 'host' => DB_HOST, 'user' => DB_USER, 'password' => DB_PASSWORD, 'database' => DB_DATABASE, 'prefix' => DB_PREFIX));
} else {
$dbi = new database(DB_HOST, DB_USER, DB_PASSWORD, DB_DATABASE, DB_PREFIX, DB_OFFLINE);
}
// escape the keyword string
if (get_magic_quotes_gpc()) {
//Addded by AW
$keyword = stripslashes($keyword);
}
$keyword = $dbi->escape($keyword);
//$patterns = array('/\s+/', '/"+/', '/%+/');
//$replace = array('');
//$keyword = preg_replace($patterns, $replace, $keyword);
//set SQL BIG SELECT option to ensure it is set to true
$dbi->setQuery("SET OPTION SQL_BIG_SELECTS=1");
$dbi->query();
// build the SQL query that gets the matching functions from the database
$tit = "title";
$id = "id";
$link = "link";
// execute the SQL query
$output = '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>';
$output .= '<response>';
$filter = '=""';
if ($keyword != '') {
$filter = ' LIKE "' . $keyword . '%"';
}
// if the keyword is empty build a SQL query that will return no results
$query = '';
if (defined('_JEXEC')) {
$query = 'SELECT ' . $tit . ',' . $link . ',' . $id . '
FROM
(SELECT c.' . $tit . ' ,m.' . $link . ',m.id,c.created
FROM #__content c
JOIN
(
SELECT ' . $link . ',' . $id . '
FROM #__menu
WHERE ' . $link . ' like "index.php?option=com_content&view=article&id=%"
AND published = 1
) as m on m.' . $link . ' = concat("index.php?option=com_content&view=article&id=",c.' . $id . ')
WHERE c.' . $tit . $filter . '
UNION
SELECT i.' . $tit . ' as title,concat(concat(concat("index.php?option=com_content&view=article&catid=",c.' . $id . '),"&id="),cast(i.' . $id . ' as char(11)))
as link, mc.' . $id . ' as id,i.created
FROM #__content AS i
JOIN #__categories AS c ON i.catid = c.' . $id . '
JOIN #__menu AS mc ON
mc.' . $link . ' = concat("index.php?option=com_content&view=category&layout=blog&id=",c.' . $id . ')
OR mc.' . $link . ' = concat("index.php?option=com_content&view=category&id=",c.' . $id . ')
WHERE mc.published=1
AND i.' . $tit . $filter . '
UNION
select i.' . $tit . ',concat(concat(concat("index.php?option=com_content&view=article&catid=",c.' . $id . '),"&id="),cast(i.' . $id . ' as char(11))) as link, 0 as id,i.created
FROM #__content i
LEFT join #__menu m on m.link = concat("index.php?option=com_content&view=article&id=",i.' . $id . ')
JOIN #__categories AS c ON i.catid = c.' . $id . '
LEFT JOIN #__menu AS mc ON
mc.' . $link . ' = concat("index.php?option=com_content&view=category&layout=blog&id=",c.' . $id . ')
OR mc.' . $link . ' = concat("index.php?option=com_content&view=category&id=",c.' . $id . ')
WHERE m.' . $id . ' is null
AND mc.' . $id . ' is null
AND state = 1
AND i.' . $tit . $filter . '
UNION
SELECT c.' . $tit . ',m.link,m.id,"0000-00-00 00:00:00" as created
FROM #__menu AS m
JOIN #__categories AS c ON
m.' . $link . ' = concat("index.php?option=com_content&view=category&layout=blog&id=",c.' . $id . ')
OR m.' . $link . ' = concat("index.php?option=com_content&view=category&id=",c.' . $id . ')
WHERE m.published = 1
AND m.parent_id = 1
AND c.' . $tit . $filter . '
UNION
SELECT c.title,concat("index.php?option=com_content&view=categories&id=",cast(c.' . $id . ' as char(11))) as link,0 as id,"0000-00-00 00:00:00" as created
FROM #__categories AS c
JOIN #__menu AS m ON
m.' . $link . ' = concat("index.php?option=com_content&view=categories&id=",c.' . $id . ')
WHERE m.published = 1
AND c.' . $tit . $filter . '
ORDER BY created desc) a
WHERE ' . $tit . $filter;
}
// execute the SQL query
//get DB intstance
$dbi->setQuery($query);
$rows = $dbi->loadAssocList();
// if we have results, loop through them and add them to the output
if ($rows) {
foreach ($rows as $row) {
//$output .= '<name>' . '<![CDATA[' . htmlentities($row[$tit], ENT_QUOTES) . ']]>' . '</name>';
$output .= '<name>' . '<![CDATA[' . $row[$tit] . ']]>' . '</name>';
$output .= '<pid>' . $row[$id] . '</pid>';
$output .= '<link>' . '<![CDATA[' . $row[$link] . ']]>' . '</link>';
}
}
// add debug information
// $output .= '<query>' . $query . '</query>';
$output .= '<error>' . $dbi->getErrorMsg() . '</error>';
// add the final closing tag
$output .= '</response>';
// return the results
return $output;
}
<?php
//get
//votePost.php?p_id=1&up
//votePost.php?p_id=1&down
require_once "include/databaseClassMySQLi.php";
require_once "include/session.php";
header('Content-Type: application/json');
$db = new database();
$results = array();
if (isset($_POST['p_id']) && $_POST['p_id'] != '') {
$p_id = $db->escape($_POST['p_id']);
if (isset($_POST['up'])) {
$query = 'select value from post_votes where p_id=\'' . $p_id . '\' and u_id=\'' . $session->uid . '\'';
$db->send_sql($query);
$row = $db->next_row();
if ($row === false || empty($row)) {
$query = 'insert into post_votes (p_id, u_id, value) values(\'' . $p_id . '\', \'' . $session->uid . '\', 1)';
$db->send_sql($query);
$query = 'update posts set votes = votes + 1 where p_id=' . $p_id;
$db->send_sql($query);
} else {
$query = 'update post_votes set value=1 where p_id=\'' . $p_id . '\' and u_id=\'' . $session->uid . '\'';
$db->send_sql($query);
$value = $row['value'];
if ($value == -1) {
$query = 'update posts set votes = votes + 2 where p_id=\'' . $p_id . '\'';
$db->send_sql($query);
}
}
} else {
<?php
//get
//post.php?start=0&count=20
//post.php
require_once "include/databaseClassMySQLi.php";
require_once "include/session.php";
header('Content-Type: application/json');
$db = new database();
$results = array();
if (isset($_GET['start']) && isset($_GET['count'])) {
$start = $db->escape($_GET['start']);
$count = $db->escape($_GET['count']);
if (!is_numeric($start) || !is_numeric($count)) {
$start = 0;
$count = 20;
}
} else {
$start = 0;
$count = 20;
}
//value = whether the use voted 1 or -1 or null
if (isset($_GET['top'])) {
$query = 'select posts.p_id, users.u_id, for_name, name, post, date, showName, votes, a.value, ownage_id from posts natural join users left join (select value, p_id from post_votes where u_id=\'' . $session->uid . '\') a on posts.p_id=a.p_id where hidden=0 order by votes desc limit ' . $start . ', ' . $count;
} else {
$query = 'select posts.p_id, users.u_id, for_name, name, post, date, showName, votes, a.value, ownage_id from posts natural join users left join (select value, p_id from post_votes where u_id=\'' . $session->uid . '\') a on posts.p_id=a.p_id where hidden=0 order by date desc limit ' . $start . ', ' . $count;
}
$db->send_sql($query);
while (($row = $db->next_row()) !== false && !empty($row)) {
if ($row['showName'] == 0) {
$row['name'] = "anon";
//userPost.php?post=postcontent&showName=1
//userPost.php?post=postcontent
//POST
//delete
//userPost.php?delete=p_id
//get
//userPost.php?start=0&count=10
//userPost.php
require_once "include/session.php";
require_once "include/databaseClassMySQLi.php";
header('Content-Type: application/json');
$db = new database();
$results = array();
if (isset($_POST['post']) && isset($_POST['for_name']) && $_POST['post'] != '') {
if (isset($_POST['showName'])) {
$showName = $db->escape($_POST['showName']);
if ($showName === true || $showName === 'true') {
$showName = 1;
} else {
$showName = 0;
}
} else {
$showName = 0;
}
if ($session->checkLoggedIn() === true) {
$db->send_sql("insert into ownage(u_id) values ('{$session->uid}')");
$ownage = $db->insert_id();
date_default_timezone_set('UTC');
$post = $db->escape($_POST['post']);
$for_name = $db->escape($_POST['for_name']);
$query = 'insert into posts(u_id, post, showName, ownage_id, for_name) values (\'' . $session->uid . '\', \'' . $post . '\', \'' . $showName . '\', \'' . $ownage . '\', \'' . $for_name . '\')';
<?php
//post
//comment.php?p_id=1&comment=content&showName=1
//comment.php?p_id=1&comment=content
//get
//userPost.php?post=p_id=1
//userPost.php?post=p_id=1&start=0&count=1
require_once "include/session.php";
require_once "include/databaseClassMySQLi.php";
header('Content-Type: application/json');
$db = new database();
$results = array();
if (isset($_POST['comment']) && isset($_POST['p_id']) && $_POST['comment'] != '' && $_POST['p_id'] != '') {
$p_id = $db->escape($_POST['p_id']);
if (isset($_POST['showName'])) {
$showName = $db->escape($_POST['showName']);
if ($showName === true || $showName === 'true') {
$showName = 1;
} else {
$showName = 0;
}
} else {
$showName = 0;
}
if ($session->checkLoggedIn() === true) {
$db->send_sql("insert into ownage(u_id) values ('{$session->uid}')");
$ownage = $db->insert_id();
date_default_timezone_set('UTC');
$comment = $db->escape($_POST['comment']);
$query = "insert into comments(u_id, p_id, comment, showName, ownage_id) values ('{$session->uid}', '{$p_id}', '{$comment}', '{$showName}', {$ownage})";
<?php
require_once 'include/databaseClassMySQLi.php';
require_once "include/session.php";
$db = new database();
header('Content-Type: application/json');
$result = array();
if (isset($_POST['name']) && isset($_POST['password']) && isset($_POST['email']) && $_POST['name'] != '' && $_POST['password'] != '' && $_POST['email'] != '') {
$name = $db->escape($_POST['name']);
$password = $db->escape($_POST['password']);
$email = $db->escape($_POST['email']);
$query = 'select email from users where email=\'' . $email . '\'';
$db->send_sql($query);
$row = $db->next_row();
if (!($row === false || empty($row))) {
array_push($result, "Email is already taken");
} else {
if (count($result) == 0) {
$query = 'insert into users(name, password, email) values (\'' . $name . '\', \'' . password_hash($password, PASSWORD_DEFAULT) . '\', \'' . $email . '\')';
$db->send_sql($query);
array_push($result, "Success");
$session->login($email, $password);
}
}
} else {
array_push($result, "Missing a field");
}
echo json_encode($result);
include "databaseClassMySQLi.php";
//include("projconfig.php");
$databaseObj = new database();
$databaseObj->setup(DB_USER, DB_PASS, DB_HOST, DB_NAME);
if (isset($_POST)) {
foreach ($_POST as $key => $value) {
if (is_array($value)) {
$jsonData = "{\\\"{$key}\\\":[";
$numfiles = sizeof($value);
foreach ($value as $element) {
$jsonData = $jsonData . '\\"' . $element . '\\"';
if ($numfiles != 1) {
$jsonData = $jsonData . ', ';
}
$numfiles = $numfiles - 1;
}
$jsonData = $jsonData . ']}';
$jsonDataString = $databaseObj->escape($jsonData);
//echo $jsonDataString;
$query = "insert into submissiontype(course_id, submission_type, refreshOnUpdate) values ('{$course_id}','{$jsonDataString}',false)";
$result = $databaseObj->send_sql($query);
}
}
}
echo "Course designed successfully";
} else {
header("location:designCourse.php");
}
?>
</body>
</html>
/**
* Get a database escaped string. For LIKE statemends: $db->Quote( $db->getEscaped( $text, true ) . '%', false )
*
* @param string $text
* @param boolean $escapeForLike : escape also % and _ wildcards for LIKE statements with % or _ in search strings (since CB 1.2.3)
* @return string
*/
function getEscaped($text, $escapeForLike = false)
{
if (checkJversion() >= 2) {
$result = $this->_db->escape($text);
} else {
$result = $this->_db->getEscaped($text);
}
if ($escapeForLike) {
$result = str_replace(array('%', '_'), array("\\%", "\\_"), $result);
}
return $result;
}
//message.php?to=ownage_id&message=content&showName=1
//message.php?to=ownage_id&message=content
//GET
//delete
//message.php?delete=m_id
//get
//message.php?start=0&count=10
//message.php
require_once "include/session.php";
require_once "include/databaseClassMySQLi.php";
header('Content-Type: application/json');
$db = new database();
$results = array();
if (isset($_POST['message']) && isset($_POST['to'])) {
if (isset($_POST['showName'])) {
$showName = $db->escape($_POST['showName']);
if ($showName === true || $showName === 'true') {
$showName = 1;
} else {
$showName = 0;
}
} else {
$showName = 0;
}
if ($session->checkLoggedIn() === true) {
$db->send_sql("insert into ownage(u_id) values ('{$session->uid}')");
$ownage = $db->insert_id();
date_default_timezone_set('UTC');
$message = $db->escape($_POST['message']);
$to = $db->escape($_POST['to']);
$query = 'insert into messages(to_ownage, ownage_id, message, showName) values (\'' . $to . '\', \'' . $ownage . '\', \'' . $message . '\', \'' . $showName . '\')';
