From 5113776a42d0bc7ff8ed2db8619045d3ffb164a9 Mon Sep 17 00:00:00 2001
From: Daniel Friesel <derf@finalrewind.org>
Date: Fri, 3 Jun 2011 11:09:25 +0200
Subject: include/pages/admin_faq cleanup

---
 includes/pages/admin_faq.php | 46 +++++++++++++++++++++++++++++++-------------
 includes/sys_page.php        |  8 ++++++++
 2 files changed, 41 insertions(+), 13 deletions(-)

diff --git a/includes/pages/admin_faq.php b/includes/pages/admin_faq.php
index 5b9a338f..b8ba1a64 100644
--- a/includes/pages/admin_faq.php
+++ b/includes/pages/admin_faq.php
@@ -4,8 +4,14 @@ function admin_faq() {
 		$faqs_html = "";
 		$faqs = sql_select("SELECT * FROM `FAQ`");
 		foreach ($faqs as $faq) {
-			$faqs_html .= '<tr><td><dl><dt>' . $faq['Frage_de'] . '</dt><dd>' . $faq['Antwort_de'] . '</dd></dl></td><td><dl><dt>' . $faq['Frage_en'] . '</dt><dd>' . $faq['Antwort_en'] . '</dd></dl></td>';
-			$faqs_html .= '<td><a href="' . page_link_to("admin_faq") . '&action=edit&id=' . $faq['FID'] . '">Edit</a></td></tr>';
+			$faqs_html .= sprintf(
+				'<tr><td> <dl><dt>%s</dt><dd>%s</dd></dl> </td>'
+				.   '<td> <dl><dt>%s</dt><dd>%s</dd></dl> </td>'
+				. '<td><a href="%s&action=edit&id=%s">Edit</a></td></tr>',
+				$faq['Frage_de'], $faq['Antwort_de'],
+				$faq['Frage_en'], $faq['Antwort_en'],
+				page_link_to('admin_faq'), $faq['FID']
+			);
 		}
 		return template_render('../templates/admin_faq.html', array (
 			'link' => page_link_to("admin_faq"),
@@ -14,11 +20,18 @@ function admin_faq() {
 	} else {
 		switch ($_REQUEST['action']) {
 			case 'create' :
-				$frage = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['frage']));
-				$antwort = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['antwort']));
-				$question = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['question']));
-				$answer = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['answer']));
-				sql_query("INSERT INTO `FAQ` SET `Frage_de`='" . sql_escape($frage) . "', `Frage_en`='" . sql_escape($question) . "', `Antwort_de`='" . sql_escape($antwort) . "', `Antwort_en`='" . sql_escape($answer) . "'");
+				$frage    = strip_request_item_nl('frage');
+				$antwort  = strip_request_item_nl('antwort');
+				$question = strip_request_item_nl('question');
+				$answer   = strip_request_item_nl('answer');
+
+				sql_query("INSERT INTO `FAQ` SET `Frage_de`='" . sql_escape($frage)
+					. "', `Frage_en`='" . sql_escape($question)
+					. "', `Antwort_de`='" . sql_escape($antwort)
+					. "', `Antwort_en`='" . sql_escape($answer)
+					. "'"
+				);
+
 				header("Location: " . page_link_to("admin_faq"));
 				break;
 
@@ -32,11 +45,18 @@ function admin_faq() {
 				if (count($faq) > 0) {
 					list ($faq) = $faq;
 
-					$frage = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['frage']));
-					$antwort = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['antwort']));
-					$question = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['question']));
-					$answer = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['answer']));
-					sql_query("UPDATE `FAQ` SET `Frage_de`='" . sql_escape($frage) . "', `Frage_en`='" . sql_escape($question) . "', `Antwort_de`='" . sql_escape($antwort) . "', `Antwort_en`='" . sql_escape($answer) . "' WHERE `FID`=" . sql_escape($id) . " LIMIT 1");
+					$frage    = strip_request_item_nl('frage');
+					$antwort  = strip_request_item_nl('antwort');
+					$question = strip_request_item_nl('question');
+					$answer   = strip_request_item_nl('answer');
+
+					sql_query("UPDATE `FAQ` SET `Frage_de`='" . sql_escape($frage)
+						. "', `Frage_en`='" . sql_escape($question)
+						. "', `Antwort_de`='" . sql_escape($antwort)
+						. "', `Antwort_en`='" . sql_escape($answer)
+						. "' WHERE `FID`=" . sql_escape($id) . " LIMIT 1"
+					);
+
 					header("Location: " . page_link_to("admin_faq"));
 				} else
 					return error("No FAQ found.");
@@ -82,4 +102,4 @@ function admin_faq() {
 		}
 	}
 }
-?>
\ No newline at end of file
+?>
diff --git a/includes/sys_page.php b/includes/sys_page.php
index 2af5f729..e499cd57 100644
--- a/includes/sys_page.php
+++ b/includes/sys_page.php
@@ -8,6 +8,14 @@ function strip_request_item($name) {
 	);
 }
 
+function strip_request_item_nl($name) {
+	return preg_replace(
+		"/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui",
+		'',
+		strip_tags($_REQUEST[$name])
+	);
+}
+
 function error($msg) {
 	return '<p class="error">' . $msg . '</p>';
 }
-- 
cgit v1.2.3-54-g00ecf


From 93dd7113b13b06de1701b216b77bb73e76421fb5 Mon Sep 17 00:00:00 2001
From: Daniel Friesel <derf@finalrewind.org>
Date: Fri, 3 Jun 2011 11:17:09 +0200
Subject: admin_groups minor cleanup

---
 includes/pages/admin_groups.php | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/includes/pages/admin_groups.php b/includes/pages/admin_groups.php
index 5d9d8180..842640d8 100644
--- a/includes/pages/admin_groups.php
+++ b/includes/pages/admin_groups.php
@@ -7,15 +7,23 @@ function admin_groups() {
 	if (!isset ($_REQUEST["action"])) {
 		$groups_html = "";
 		foreach ($groups as $group) {
-			$groups_html .= '<tr>';
-			$groups_html .= '<td>' . $group['Name'] . '</td>';
+			$groups_html .= sprintf(
+				'<tr><td>%s</td>',
+				$group['Name']
+			);
 			$privileges = sql_select("SELECT * FROM `GroupPrivileges` JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `group_id`=" . sql_escape($group['UID']));
 			$privileges_html = array ();
+
 			foreach ($privileges as $priv)
 				$privileges_html[] = $priv['name'];
-			$groups_html .= '<td>' . join(", ", $privileges_html) . '</td>';
-			$groups_html .= '<td><a href="' . page_link_to("admin_groups") . '&action=edit&id=' . $group['UID'] . '">Ändern</a></td>';
-			$groups_html .= '</tr>';
+
+			$groups_html .= sprintf(
+				'<td>%s</td>'
+				. '<td><a href="%s&action=edit&id=%s">Ändern</a></td>',
+				join(', ', $privileges_html),
+				page_link_to("admin_groups"),
+				$group['UID']
+			);
 		}
 
 		return template_render('../templates/admin_groups.html', array (
-- 
cgit v1.2.3-54-g00ecf


From 554bd796dc7aed67b6810e2ae3f30ba66bf263e3 Mon Sep 17 00:00:00 2001
From: Daniel Friesel <derf@finalrewind.org>
Date: Fri, 3 Jun 2011 11:24:22 +0200
Subject: includes/sys_auth: Add sql_escape, just to be safe

---
 includes/sys_auth.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/includes/sys_auth.php b/includes/sys_auth.php
index 68e336b0..009be2d8 100644
--- a/includes/sys_auth.php
+++ b/includes/sys_auth.php
@@ -19,7 +19,10 @@ function load_auth() {
 		if (count($user) > 0) {
 			// User ist eingeloggt, Datensatz zur Verfügung stellen und Timestamp updaten
 			list ($user) = $user;
-			sql_query("UPDATE `User` SET " . "`lastLogIn` = '" . time() . "'" . " WHERE `UID` = '" . $_SESSION['uid'] . "' LIMIT 1;");
+			sql_query("UPDATE `User` SET "
+				. "`lastLogIn` = '" . time() . "'"
+				. " WHERE `UID` = '" . sql_escape($_SESSION['uid']) . "' LIMIT 1;"
+			);
 		} else
 			unset ($_SESSION['uid']);
 	}
@@ -52,4 +55,4 @@ function PassCrypt($passwort) {
 			return md5($passwort);
 	}
 }
-?>
\ No newline at end of file
+?>
-- 
cgit v1.2.3-54-g00ecf


From 70de7e5a1dd96c47c48eb45498004d219bec1283 Mon Sep 17 00:00:00 2001
From: Daniel Friesel <derf@finalrewind.org>
Date: Fri, 3 Jun 2011 11:34:54 +0200
Subject: guest_login: Cleanup, fix sql injection

---
 includes/pages/guest_faq.php   | 14 ++++++++---
 includes/pages/guest_login.php | 56 ++++++++++++++++++++++++++++++------------
 2 files changed, 50 insertions(+), 20 deletions(-)

diff --git a/includes/pages/guest_faq.php b/includes/pages/guest_faq.php
index c4bcd0bb..2799cbaf 100644
--- a/includes/pages/guest_faq.php
+++ b/includes/pages/guest_faq.php
@@ -5,11 +5,17 @@ function guest_faq() {
 	foreach ($faqs as $faq) {
 		$html .= "<dl>";
 		if ($_SESSION['Sprache'] == "DE") {
-			$html .= "<dt>" . $faq['Frage_de'] . "</dt>";
-			$html .= "<dd>" . $faq['Antwort_de'] . "</dd>";
+			$html .= sprintf(
+				'<dt>%s</dt> <dd>%s</dd>',
+				$faq['frage_de'],
+				$faq['antwort_de']
+			);
 		} else {
-			$html .= "<dt>" . $faq['Frage_en'] . "</dt>";
-			$html .= "<dd>" . $faq['Antwort_en'] . "</dd>";
+			$html .= sprintf(
+				'<dt>%s</dt> <dd>%s</dd>',
+				$faq['frage_en'],
+				$faq['antwort_en']
+			);
 		}
 		$html .= "</dl>";
 	}
diff --git a/includes/pages/guest_login.php b/includes/pages/guest_login.php
index bbf36b6d..db20a207 100644
--- a/includes/pages/guest_login.php
+++ b/includes/pages/guest_login.php
@@ -16,12 +16,25 @@ function guest_register() {
 		$Ergans = sql_select("SELECT UID FROM `User` WHERE `Nick`='" . sql_escape($_POST["Nick"]) . "'");
 
 		if (strlen($_POST["Nick"]) < 2)
-			$error = Get_Text("makeuser_error_nick1") . $_POST["Nick"] . Get_Text("makeuser_error_nick2");
-		elseif (count($Ergans) > 0) $error = Get_Text("makeuser_error_nick1") . $_POST["Nick"] . Get_Text("makeuser_error_nick3");
-		elseif (strlen($_POST["email"]) <= 6 && strstr($_POST["email"], "@") == FALSE && strstr($_POST["email"], ".") == false) $error = Get_Text("makeuser_error_mail");
-		elseif (!is_numeric($_POST["Alter"])) $error = Get_Text("makeuser_error_Alter");
-		elseif ($_POST["Passwort"] != $_POST["Passwort2"]) $error = Get_Text("makeuser_error_password1");
-		elseif (strlen($_POST["Passwort"]) < 6) $error = Get_Text("makeuser_error_password2");
+			$error = Get_Text("makeuser_error_nick1")
+				. $_POST["Nick"] . Get_Text("makeuser_error_nick2");
+
+		elseif (count($Ergans) > 0)
+			$error = Get_Text("makeuser_error_nick1")
+				. $_POST["Nick"] . Get_Text("makeuser_error_nick3");
+
+		elseif (strlen($_POST["email"]) <= 6 && strstr($_POST["email"], "@") == FALSE && strstr($_POST["email"], ".") == false)
+			$error = Get_Text("makeuser_error_mail");
+
+		elseif (!is_numeric($_POST["Alter"]))
+			$error = Get_Text("makeuser_error_Alter");
+
+		elseif ($_POST["Passwort"] != $_POST["Passwort2"])
+			$error = Get_Text("makeuser_error_password1");
+
+		elseif (strlen($_POST["Passwort"]) < 6)
+			$error = Get_Text("makeuser_error_password2");
+
 		else {
 			$_POST["Passwort"] = PassCrypt($_POST["Passwort"]);
 			unset ($_POST["Passwort2"]);
@@ -35,15 +48,26 @@ function guest_register() {
 			"`Size`, " . "`Passwort`, " .
 			"`Art` , " . "`kommentar`, " .
 			"`Hometown`," . "`CreateDate`, `Sprache` ) " .
-			"VALUES ( " .
-			"'" . $_POST["Nick"] . "', " . "'" . $_POST["Name"] . "', " .
-			"'" . $_POST["Vorname"] . "', " . "'" . $_POST["Alter"] . "', " .
-			"'" . $_POST["Telefon"] . "', " . "'" . $_POST["DECT"] . "', " .
-			"'" . $_POST["Handy"] . "', " . "'" . $_POST["email"] . "', " .
-			"'" . $_POST["ICQ"] . "', " . "'" . $_POST["jabber"] . "', " .
-			"'" . $_POST["Size"] . "', " . "'" . $_POST["Passwort"] . "', " .
-			"'" . $_POST["Art"] . "', " . "'" . $_POST["kommentar"] . "', " .
-			"'" . $_POST["Hometown"] . "'," . "NOW(), '" . $_SESSION['Sprache'] . "')");
+			"VALUES ( '"
+				. sql_escape($_POST["Nick"]) . "', " . "'"
+				. sql_escape($_POST["Name"]) . "', " . "'"
+				. sql_escape($_POST["Vorname"]) . "', " . "'"
+				. sql_escape($_POST["Alter"]) . "', " . "'"
+				. sql_escape($_POST["Telefon"]) . "', " . "'"
+				. sql_escape($_POST["DECT"]) . "', " . "'"
+				. sql_escape($_POST["Handy"]) . "', " . "'"
+				. sql_escape($_POST["email"]) . "', " . "'"
+				. sql_escape($_POST["ICQ"]) . "', " . "'"
+				. sql_escape($_POST["jabber"]) . "', " . "'"
+				. sql_escape($_POST["Size"]) . "', " . "'"
+				. sql_escape($_POST["Passwort"]) . "', " . "'"
+				. sql_escape($_POST["Art"]) . "', " . "'"
+				. sql_escape($_POST["kommentar"]) . "', " . "'"
+				. sql_escape($_POST["Hometown"]) . "',"
+				. "NOW(), '"
+				. sql_escape($_SESSION["Sprache"])
+				. "')"
+			);
 
 			if ($Erg != 1) {
 				$html .= Get_Text("makeuser_error_write1") . "<br />\n";
@@ -242,4 +266,4 @@ function guest_login_form() {
 		'send' => Get_Text("index_lang_send")
 	));
 }
-?>
\ No newline at end of file
+?>
-- 
cgit v1.2.3-54-g00ecf


From 75a7755041c4e4b9c5c31bccabc917e188982e80 Mon Sep 17 00:00:00 2001
From: Daniel Friesel <derf@finalrewind.org>
Date: Fri, 3 Jun 2011 11:46:46 +0200
Subject: user_messages: Initial (unfinished) cleanup

---
 includes/pages/user_messages.php | 41 ++++++++++++++++++++++++++++++----------
 1 file changed, 31 insertions(+), 10 deletions(-)

diff --git a/includes/pages/user_messages.php b/includes/pages/user_messages.php
index 30871d9d..a13b28f0 100644
--- a/includes/pages/user_messages.php
+++ b/includes/pages/user_messages.php
@@ -6,7 +6,13 @@ function user_unread_messages() {
 		$new_messages = sql_num_query("SELECT * FROM `Messages` WHERE isRead='N' AND `RUID`=" . sql_escape($user['UID']));
 
 		if ($new_messages > 0)
-			return '<p class="notice"><a href="' . page_link_to("user_messages") . '">' . Get_Text("pub_messages_new1") . " " . $new_messages . " " . Get_Text("pub_messages_new2") . '</a></p><hr />';
+			return sprintf(
+				'<p class="notice"><a href="%s">%s %s %s</a></p><hr />',
+				page_link_to("user_messages"),
+				Get_Text("pub_messages_new1"),
+				$new_messages,
+				Get_Text("pub_messages_new2")
+			);
 	}
 
 	return "";
@@ -16,23 +22,37 @@ function user_messages() {
 	global $user;
 
 	if (!isset ($_REQUEST['action'])) {
-		$users = sql_select("SELECT * FROM `User` WHERE NOT `UID`=" . sql_escape($user['UID']) . " ORDER BY `Nick`");
+		$users = sql_select("SELECT * FROM `User` WHERE NOT `UID`="
+			. sql_escape($user['UID']) . " ORDER BY `Nick`");
+
 		$to_select_data = array (
 			"" => "Select receiver..."
 		);
+
 		foreach ($users as $u)
 			$to_select_data[$u['UID']] = $u['Nick'];
+
 		$to_select = html_select_key('to', $to_select_data, '');
 
 		$messages_html = "";
-		$messages = sql_select("SELECT * FROM `Messages` WHERE `SUID`=" . sql_escape($user['UID']) . " OR `RUID`=" . sql_escape($user['UID']) . " ORDER BY `isRead`,`Datum` DESC");
+		$messages = sql_select("SELECT * FROM `Messages` WHERE `SUID`="
+			. sql_escape($user['UID'])
+			. " OR `RUID`=" . sql_escape($user['UID'])
+			. " ORDER BY `isRead`,`Datum` DESC"
+		);
 		foreach ($messages as $message) {
-			$messages_html .= '<tr' . ($message['isRead'] == 'N' ? ' class="new_message"' : '') . '>';
-			$messages_html .= '<td>' . ($message['isRead'] == 'N' ? '•' : '') . '</td>';
-			$messages_html .= '<td>' . date("Y-m-d H:i", $message['Datum']) . '</td>';
-			$messages_html .= '<td>' . UID2Nick($message['SUID']) . '</td>';
-			$messages_html .= '<td>' . UID2Nick($message['RUID']) . '</td>';
-			$messages_html .= '<td>' . str_replace("\n", '<br />', $message['Text']) . '</td>';
+
+			$messages_html .= sprintf(
+				'<tr %s> <td>%s</td> <td>%s</td> <td>%s</td> <td>%s</td>'
+				.'<td>%s</td>',
+				($message['isRead'] == 'N' ? ' class="new_message"' : ''),
+				($message['isRead'] == 'N' ? '•' : ''),
+				date("Y-m-d H:i", $message['Datum']),
+				UID2Nick($message['SUID']),
+				UID2Nick($message['RUID']),
+				str_replace("\n", '<br />', $message['Text'])
+			);
+
 			$messages_html .= '<td>';
 			if ($message['RUID'] == $user['UID']) {
 				if ($message['isRead'] == 'N')
@@ -45,7 +65,8 @@ function user_messages() {
 
 		return template_render('../templates/user_messages.html', array (
 			'link' => page_link_to("user_messages"),
-			'greeting' => Get_Text("Hello") . $user['Nick'] . ", <br />\n" . Get_Text("pub_messages_text1") . "<br /><br />\n",
+			'greeting' => Get_Text("Hello") . $user['Nick'] . ", <br />\n"
+			            . Get_Text("pub_messages_text1") . "<br /><br />\n",
 			'messages' => $messages_html,
 			'new_label' => Get_Text("pub_messages_Neu"),
 			'date_label' => Get_Text("pub_messages_Datum"),
-- 
cgit v1.2.3-54-g00ecf