mirror of
https://github.com/Mibew/i18n.git
synced 2025-02-02 09:34:41 +03:00
Fix multiple (potential) SQL Injections
This commit is contained in:
parent
2532f3bc01
commit
92847d1a52
@ -60,13 +60,13 @@ function post_message_($threadid, $kind, $message, $link, $from = null, $utime =
|
||||
{
|
||||
global $mysqlprefix;
|
||||
$query = sprintf(
|
||||
"insert into ${mysqlprefix}chatmessage (threadid,ikind,tmessage,tname,agentId,dtmcreated) values (%s, %s,'%s',%s,%s,%s)",
|
||||
$threadid,
|
||||
$kind,
|
||||
"insert into ${mysqlprefix}chatmessage (threadid,ikind,tmessage,tname,agentId,dtmcreated) values (%s,%s,'%s',%s,%s,%s)",
|
||||
intval($threadid),
|
||||
intval($kind),
|
||||
mysql_real_escape_string($message, $link),
|
||||
$from ? "'" . mysql_real_escape_string($from, $link) . "'" : "null",
|
||||
$opid ? $opid : "0",
|
||||
$utime ? "FROM_UNIXTIME($utime)" : "CURRENT_TIMESTAMP");
|
||||
$opid ? intval($opid) : "0",
|
||||
$utime ? "FROM_UNIXTIME(" . intval($utime) . ")" : "CURRENT_TIMESTAMP");
|
||||
|
||||
perform_query($query, $link);
|
||||
return mysql_insert_id($link);
|
||||
@ -125,7 +125,7 @@ function get_messages($threadid, $meth, $isuser, &$lastid)
|
||||
$query = sprintf(
|
||||
"select messageid,ikind,unix_timestamp(dtmcreated) as created,tname,tmessage from ${mysqlprefix}chatmessage " .
|
||||
"where threadid = %s and messageid > %s %s order by messageid",
|
||||
$threadid, $lastid, $isuser ? "and ikind <> $kind_for_agent" : "");
|
||||
intval($threadid), intval($lastid), $isuser ? "and ikind <> " . intval($kind_for_agent) : "");
|
||||
|
||||
$messages = array();
|
||||
$msgs = select_multi_assoc($query, $link);
|
||||
@ -392,7 +392,7 @@ function load_canned_messages($locale, $groupid)
|
||||
global $mysqlprefix;
|
||||
$link = connect();
|
||||
$result = select_multi_assoc(
|
||||
"select vcvalue from ${mysqlprefix}chatresponses where locale = '$locale' " .
|
||||
"select vcvalue from ${mysqlprefix}chatresponses where locale = '" . mysql_real_escape_string($locale, $link) . "' " .
|
||||
"AND (groupid is NULL OR groupid = 0) order by vcvalue", $link);
|
||||
if (count($result) == 0) {
|
||||
foreach (explode("\n", getstring_('chat.predefined_answers', $locale)) as $answer) {
|
||||
@ -401,8 +401,8 @@ function load_canned_messages($locale, $groupid)
|
||||
}
|
||||
if ($groupid) {
|
||||
$result2 = select_multi_assoc(
|
||||
"select vcvalue from ${mysqlprefix}chatresponses where locale = '$locale' " .
|
||||
"AND groupid = $groupid order by vcvalue", $link);
|
||||
"select vcvalue from ${mysqlprefix}chatresponses where locale = '" . mysql_real_escape_string($locale, $link) . "' " .
|
||||
"AND groupid = " . intval($groupid) . " order by vcvalue", $link);
|
||||
foreach ($result as $r) {
|
||||
$result2[] = $r;
|
||||
}
|
||||
@ -461,11 +461,11 @@ function update_thread_access($threadid, $params, $link)
|
||||
foreach ($params as $k => $v) {
|
||||
if (strlen($clause) > 0)
|
||||
$clause .= ", ";
|
||||
$clause .= $k . "=" . $v;
|
||||
$clause .= "`" . mysql_real_escape_string($k, $link) . "`='" . mysql_real_escape_string($v, $link) . "'";
|
||||
}
|
||||
perform_query(
|
||||
"update ${mysqlprefix}chatthread set $clause " .
|
||||
"where threadid = $threadid", $link);
|
||||
"where threadid = " . intval($threadid), $link);
|
||||
}
|
||||
|
||||
function ping_thread($thread, $isuser, $istyping)
|
||||
@ -509,11 +509,11 @@ function ping_thread($thread, $isuser, $istyping)
|
||||
function commit_thread($threadid, $params, $link)
|
||||
{
|
||||
global $mysqlprefix;
|
||||
$query = "update ${mysqlprefix}chatthread t set lrevision = " . next_revision($link) . ", dtmmodified = CURRENT_TIMESTAMP";
|
||||
$query = "update ${mysqlprefix}chatthread t set lrevision = " . intval(next_revision($link)) . ", dtmmodified = CURRENT_TIMESTAMP";
|
||||
foreach ($params as $k => $v) {
|
||||
$query .= ", " . $k . "=" . $v;
|
||||
$query .= ", `" . mysql_real_escape_string($k, $link) . "`='" . mysql_real_escape_string($v, $link) . "'";
|
||||
}
|
||||
$query .= " where threadid = $threadid";
|
||||
$query .= " where threadid = " . intval($threadid);
|
||||
|
||||
perform_query($query, $link);
|
||||
}
|
||||
@ -555,10 +555,16 @@ function close_old_threads($link)
|
||||
return;
|
||||
}
|
||||
$next_revision = next_revision($link);
|
||||
$query = "update ${mysqlprefix}chatthread set lrevision = $next_revision, dtmmodified = CURRENT_TIMESTAMP, istate = $state_closed " .
|
||||
"where istate <> $state_closed and istate <> $state_left and lastpingagent <> 0 and lastpinguser <> 0 and " .
|
||||
"(ABS(UNIX_TIMESTAMP(CURRENT_TIMESTAMP) - UNIX_TIMESTAMP(lastpinguser)) > " . $settings['thread_lifetime'] . " and " .
|
||||
"ABS(UNIX_TIMESTAMP(CURRENT_TIMESTAMP) - UNIX_TIMESTAMP(lastpingagent)) > " . $settings['thread_lifetime'] . ")";
|
||||
$query = sprintf("update ${mysqlprefix}chatthread set lrevision = %s, dtmmodified = CURRENT_TIMESTAMP, istate = %s " .
|
||||
"where istate <> %s and istate <> %s and lastpingagent <> 0 and lastpinguser <> 0 and " .
|
||||
"(ABS(UNIX_TIMESTAMP(CURRENT_TIMESTAMP) - UNIX_TIMESTAMP(lastpinguser)) > %s and " .
|
||||
"ABS(UNIX_TIMESTAMP(CURRENT_TIMESTAMP) - UNIX_TIMESTAMP(lastpingagent)) > %s)",
|
||||
intval($next_revision),
|
||||
intval($state_closed),
|
||||
intval($state_closed),
|
||||
intval($state_left),
|
||||
intval($settings['thread_lifetime']),
|
||||
intval($settings['thread_lifetime']));
|
||||
|
||||
perform_query($query, $link);
|
||||
}
|
||||
@ -569,7 +575,7 @@ function thread_by_id_($id, $link)
|
||||
return select_one_row("select threadid,userName,agentName,agentId,lrevision,istate,ltoken,userTyping,agentTyping" .
|
||||
",unix_timestamp(dtmmodified) as modified, unix_timestamp(dtmcreated) as created" .
|
||||
",remote,referer,locale,unix_timestamp(lastpinguser) as lpuser,unix_timestamp(lastpingagent) as lpagent, unix_timestamp(CURRENT_TIMESTAMP) as current,nextagent,shownmessageid,userid,userAgent,groupid" .
|
||||
" from ${mysqlprefix}chatthread where threadid = " . $id, $link);
|
||||
" from ${mysqlprefix}chatthread where threadid = " . intval($id), $link);
|
||||
}
|
||||
|
||||
function ban_for_addr_($addr, $link)
|
||||
@ -591,15 +597,16 @@ function create_thread($groupid, $username, $remoteHost, $referer, $lang, $useri
|
||||
global $mysqlprefix;
|
||||
$query = sprintf(
|
||||
"insert into ${mysqlprefix}chatthread (userName,userid,ltoken,remote,referer,lrevision,locale,userAgent,dtmcreated,dtmmodified,istate" . ($groupid ? ",groupid" : "") . ") values " .
|
||||
"('%s','%s',%s,'%s','%s',%s,'%s','%s',CURRENT_TIMESTAMP,CURRENT_TIMESTAMP,$initialState" . ($groupid ? ",$groupid" : "") . ")",
|
||||
"('%s',%s,%s,'%s','%s',%s,'%s','%s',CURRENT_TIMESTAMP,CURRENT_TIMESTAMP,%s" . ($groupid ? "," . intval($groupid) : "") . ")",
|
||||
mysql_real_escape_string($username, $link),
|
||||
mysql_real_escape_string($userid, $link),
|
||||
next_token(),
|
||||
intval($userid),
|
||||
intval(next_token()),
|
||||
mysql_real_escape_string($remoteHost, $link),
|
||||
mysql_real_escape_string($referer, $link),
|
||||
next_revision($link),
|
||||
intval(next_revision($link)),
|
||||
mysql_real_escape_string($lang, $link),
|
||||
mysql_real_escape_string($userbrowser, $link));
|
||||
mysql_real_escape_string($userbrowser, $link),
|
||||
intval($initialState));
|
||||
|
||||
perform_query($query, $link);
|
||||
$id = mysql_insert_id($link);
|
||||
@ -710,7 +717,7 @@ function notify_operators($thread, $firstmessage, $link)
|
||||
$groupid = $thread['groupid'];
|
||||
$query = "select ${mysqlprefix}chatoperator.operatorid as opid, inotify, vcjabbername, vcemail, (unix_timestamp(CURRENT_TIMESTAMP)-unix_timestamp(dtmlastvisited)) as time from ${mysqlprefix}chatoperator";
|
||||
if ($groupid) {
|
||||
$query .= ", ${mysqlprefix}chatgroupoperator where groupid = $groupid and ${mysqlprefix}chatoperator.operatorid = ${mysqlprefix}chatgroupoperator.operatorid and istatus = 0";
|
||||
$query .= ", ${mysqlprefix}chatgroupoperator where groupid = " . intval($groupid) . " and ${mysqlprefix}chatoperator.operatorid = ${mysqlprefix}chatgroupoperator.operatorid and istatus = 0";
|
||||
} else {
|
||||
$query .= " where istatus = 0";
|
||||
}
|
||||
@ -739,7 +746,7 @@ function check_connections_from_remote($remote, $link)
|
||||
}
|
||||
$result = select_one_row(
|
||||
"select count(*) as opened from ${mysqlprefix}chatthread " .
|
||||
"where remote = '" . mysql_real_escape_string($remote, $link) . "' AND istate <> $state_closed AND istate <> $state_left", $link);
|
||||
"where remote = '" . mysql_real_escape_string($remote, $link) . "' AND istate <> " . intval($state_closed) . " AND istate <> " . intval($state_left), $link);
|
||||
if ($result && isset($result['opened'])) {
|
||||
return $result['opened'] < $settings['max_connections_from_one_host'];
|
||||
}
|
||||
|
||||
@ -352,7 +352,7 @@ function connect()
|
||||
or die('Could not connect: ' . mysql_error());
|
||||
mysql_select_db($mysqldb, $link) or die('Could not select database');
|
||||
if ($force_charset_in_connection) {
|
||||
mysql_query("SET NAMES '$dbencoding'", $link);
|
||||
mysql_query("SET NAMES '" . mysql_real_escape_string($dbencoding, $link) . "'", $link);
|
||||
}
|
||||
return $link;
|
||||
}
|
||||
|
||||
@ -20,7 +20,7 @@ function group_by_id($id)
|
||||
global $mysqlprefix;
|
||||
$link = connect();
|
||||
$group = select_one_row(
|
||||
"select * from ${mysqlprefix}chatgroup where groupid = $id", $link);
|
||||
"select * from ${mysqlprefix}chatgroup where groupid = " . intval($id), $link);
|
||||
mysql_close($link);
|
||||
return $group;
|
||||
}
|
||||
@ -53,7 +53,7 @@ function get_operator_groupslist($operatorid, $link)
|
||||
global $settings, $mysqlprefix;
|
||||
if ($settings['enablegroups'] == '1') {
|
||||
$groupids = array(0);
|
||||
$allgroups = select_multi_assoc("select groupid from ${mysqlprefix}chatgroupoperator where operatorid = $operatorid order by groupid", $link);
|
||||
$allgroups = select_multi_assoc("select groupid from ${mysqlprefix}chatgroupoperator where operatorid = " . intval($operatorid) . " order by groupid", $link);
|
||||
foreach ($allgroups as $g) {
|
||||
$groupids[] = $g['groupid'];
|
||||
}
|
||||
|
||||
@ -20,12 +20,12 @@ function log_notification($locale, $kind, $to, $subj, $text, $refop, $link)
|
||||
global $mysqlprefix;
|
||||
$query = sprintf(
|
||||
"insert into ${mysqlprefix}chatnotification (locale,vckind,vcto,vcsubject,tmessage,refoperator,dtmcreated) values ('%s','%s','%s','%s','%s',%s,%s)",
|
||||
$locale,
|
||||
$kind,
|
||||
mysql_real_escape_string($locale, $link),
|
||||
mysql_real_escape_string($kind, $link),
|
||||
mysql_real_escape_string($to, $link),
|
||||
mysql_real_escape_string($subj, $link),
|
||||
mysql_real_escape_string($text, $link),
|
||||
$refop ? $refop : "0",
|
||||
$refop ? intval($refop) : "0",
|
||||
"CURRENT_TIMESTAMP");
|
||||
|
||||
perform_query($query, $link);
|
||||
|
||||
@ -53,7 +53,7 @@ function operator_by_id_($id, $link)
|
||||
{
|
||||
global $mysqlprefix;
|
||||
return select_one_row(
|
||||
"select * from ${mysqlprefix}chatoperator where operatorid = $id", $link);
|
||||
"select * from ${mysqlprefix}chatoperator where operatorid = " . intval($id), $link);
|
||||
}
|
||||
|
||||
function operator_by_id($id)
|
||||
@ -102,14 +102,14 @@ function update_operator($operatorid, $login, $email, $jabber, $password, $local
|
||||
"update ${mysqlprefix}chatoperator set vclogin = '%s',%s vclocalename = '%s', vccommonname = '%s'" .
|
||||
", vcemail = '%s', vcjabbername= '%s', inotify = %s" .
|
||||
" where operatorid = %s",
|
||||
mysql_real_escape_string($login),
|
||||
mysql_real_escape_string($login, $link),
|
||||
($password ? " vcpassword='" . md5($password) . "'," : ""),
|
||||
mysql_real_escape_string($localename),
|
||||
mysql_real_escape_string($commonname),
|
||||
mysql_real_escape_string($email),
|
||||
mysql_real_escape_string($jabber),
|
||||
$notify,
|
||||
$operatorid);
|
||||
mysql_real_escape_string($localename, $link),
|
||||
mysql_real_escape_string($commonname, $link),
|
||||
mysql_real_escape_string($email, $link),
|
||||
mysql_real_escape_string($jabber, $link),
|
||||
intval($notify),
|
||||
intval($operatorid));
|
||||
|
||||
perform_query($query, $link);
|
||||
mysql_close($link);
|
||||
@ -121,7 +121,7 @@ function update_operator_avatar($operatorid, $avatar)
|
||||
$link = connect();
|
||||
$query = sprintf(
|
||||
"update ${mysqlprefix}chatoperator set vcavatar = '%s' where operatorid = %s",
|
||||
mysql_real_escape_string($avatar), $operatorid);
|
||||
mysql_real_escape_string($avatar, $link), intval($operatorid));
|
||||
|
||||
perform_query($query, $link);
|
||||
mysql_close($link);
|
||||
@ -132,19 +132,19 @@ function create_operator_($login, $email, $jabber, $password, $localename, $comm
|
||||
global $mysqlprefix;
|
||||
$query = sprintf(
|
||||
"insert into ${mysqlprefix}chatoperator (vclogin,vcpassword,vclocalename,vccommonname,vcavatar,vcemail,vcjabbername,inotify) values ('%s','%s','%s','%s','%s','%s','%s',%s)",
|
||||
mysql_real_escape_string($login),
|
||||
mysql_real_escape_string($login, $link),
|
||||
md5($password),
|
||||
mysql_real_escape_string($localename),
|
||||
mysql_real_escape_string($commonname),
|
||||
mysql_real_escape_string($avatar),
|
||||
mysql_real_escape_string($email),
|
||||
mysql_real_escape_string($jabber),
|
||||
$notify);
|
||||
mysql_real_escape_string($localename, $link),
|
||||
mysql_real_escape_string($commonname, $link),
|
||||
mysql_real_escape_string($avatar, $link),
|
||||
mysql_real_escape_string($email, $link),
|
||||
mysql_real_escape_string($jabber, $link),
|
||||
intval($notify));
|
||||
|
||||
perform_query($query, $link);
|
||||
$id = mysql_insert_id($link);
|
||||
|
||||
return select_one_row("select * from ${mysqlprefix}chatoperator where operatorid = $id", $link);
|
||||
return select_one_row("select * from ${mysqlprefix}chatoperator where operatorid = " . intval($id), $link);
|
||||
}
|
||||
|
||||
function create_operator($login, $email, $jabber, $password, $localename, $commonname, $notify, $avatar)
|
||||
@ -159,7 +159,7 @@ function notify_operator_alive($operatorid, $istatus)
|
||||
{
|
||||
global $mysqlprefix;
|
||||
$link = connect();
|
||||
perform_query("update ${mysqlprefix}chatoperator set istatus = $istatus, dtmlastvisited = CURRENT_TIMESTAMP where operatorid = $operatorid", $link);
|
||||
perform_query(sprintf("update ${mysqlprefix}chatoperator set istatus = %s, dtmlastvisited = CURRENT_TIMESTAMP where operatorid = %s", intval($istatus), intval($operatorid)), $link);
|
||||
mysql_close($link);
|
||||
}
|
||||
|
||||
@ -170,7 +170,7 @@ function has_online_operators($groupid = "")
|
||||
$link = connect();
|
||||
$query = "select count(*) as total, min(unix_timestamp(CURRENT_TIMESTAMP)-unix_timestamp(dtmlastvisited)) as time from ${mysqlprefix}chatoperator";
|
||||
if ($groupid) {
|
||||
$query .= ", ${mysqlprefix}chatgroupoperator where groupid = $groupid and ${mysqlprefix}chatoperator.operatorid = " .
|
||||
$query .= ", ${mysqlprefix}chatgroupoperator where groupid = " . intval($groupid) . " and ${mysqlprefix}chatoperator.operatorid = " .
|
||||
"${mysqlprefix}chatgroupoperator.operatorid and istatus = 0";
|
||||
} else {
|
||||
$query .= " where istatus = 0";
|
||||
@ -185,7 +185,7 @@ function is_operator_online($operatorid, $link)
|
||||
global $settings, $mysqlprefix;
|
||||
loadsettings_($link);
|
||||
$query = "select count(*) as total, min(unix_timestamp(CURRENT_TIMESTAMP)-unix_timestamp(dtmlastvisited)) as time " .
|
||||
"from ${mysqlprefix}chatoperator where operatorid = $operatorid";
|
||||
"from ${mysqlprefix}chatoperator where operatorid = " . intval($operatorid);
|
||||
$row = select_one_row($query, $link);
|
||||
return $row['time'] < $settings['online_timeout'] && $row['total'] == 1;
|
||||
}
|
||||
@ -289,7 +289,7 @@ function setup_redirect_links($threadid, $token)
|
||||
|
||||
$operators = select_multi_assoc(db_build_select(
|
||||
"operatorid, vclogin, vclocalename, vccommonname, istatus, (unix_timestamp(CURRENT_TIMESTAMP)-unix_timestamp(dtmlastvisited)) as time",
|
||||
"${mysqlprefix}chatoperator", array(), "order by vclogin $limit"), $link);
|
||||
"${mysqlprefix}chatoperator", array(), "order by vclogin " . $limit), $link);
|
||||
|
||||
$groups = array_slice($groups, $p['start'], $p['end'] - $p['start']);
|
||||
mysql_close($link);
|
||||
@ -398,7 +398,7 @@ function get_operator_groupids($operatorid)
|
||||
{
|
||||
global $mysqlprefix;
|
||||
$link = connect();
|
||||
$query = "select groupid from ${mysqlprefix}chatgroupoperator where operatorid = $operatorid";
|
||||
$query = "select groupid from ${mysqlprefix}chatgroupoperator where operatorid = " . intval($operatorid);
|
||||
$result = select_multi_assoc($query, $link);
|
||||
mysql_close($link);
|
||||
return $result;
|
||||
|
||||
@ -36,13 +36,15 @@ function prepare_pagination($items_count, $default_items_per_page = 15)
|
||||
{
|
||||
global $page;
|
||||
|
||||
$items_count = intval($items_count);
|
||||
|
||||
if ($items_count) {
|
||||
$items_per_page = verifyparam("items", "/^\d{1,3}$/", $default_items_per_page);
|
||||
$items_per_page = intval(verifyparam("items", "/^\d{1,3}$/", $default_items_per_page));
|
||||
if ($items_per_page < 2)
|
||||
$items_per_page = 2;
|
||||
|
||||
$total_pages = div($items_count + $items_per_page - 1, $items_per_page);
|
||||
$curr_page = verifyparam("page", "/^\d{1,6}$/", 1);
|
||||
$curr_page = intval(verifyparam("page", "/^\d{1,6}$/", 1));
|
||||
|
||||
if ($curr_page < 1)
|
||||
$curr_page = 1;
|
||||
|
||||
@ -21,9 +21,9 @@ function update_settings()
|
||||
$link = connect();
|
||||
foreach ($settings as $key => $value) {
|
||||
if (!isset($settings_in_db[$key])) {
|
||||
perform_query("insert into ${mysqlprefix}chatconfig (vckey) values ('$key')", $link);
|
||||
perform_query("insert into ${mysqlprefix}chatconfig (vckey) values ('" . mysql_real_escape_string($key, $link) . "')", $link);
|
||||
}
|
||||
$query = sprintf("update ${mysqlprefix}chatconfig set vcvalue='%s' where vckey='$key'", mysql_real_escape_string($value));
|
||||
$query = sprintf("update ${mysqlprefix}chatconfig set vcvalue='%s' where vckey='%s'", mysql_real_escape_string($value, $link), mysql_real_escape_string($key, $link));
|
||||
perform_query($query, $link);
|
||||
}
|
||||
|
||||
|
||||
@ -63,16 +63,17 @@ if (isset($_POST['address'])) {
|
||||
if (!$banId) {
|
||||
$query = sprintf(
|
||||
"insert into ${mysqlprefix}chatban (dtmcreated,dtmtill,address,comment) values (CURRENT_TIMESTAMP,%s,'%s','%s')",
|
||||
"FROM_UNIXTIME($utime)",
|
||||
"FROM_UNIXTIME(" . intval($utime) . ")",
|
||||
mysql_real_escape_string($address, $link),
|
||||
mysql_real_escape_string($comment, $link));
|
||||
perform_query($query, $link);
|
||||
} else {
|
||||
$query = sprintf(
|
||||
"update ${mysqlprefix}chatban set dtmtill = %s,address = '%s',comment = '%s' where banid = $banId",
|
||||
"FROM_UNIXTIME($utime)",
|
||||
"update ${mysqlprefix}chatban set dtmtill = %s,address = '%s',comment = '%s' where banid = %s",
|
||||
"FROM_UNIXTIME(" . intval($utime) . ")",
|
||||
mysql_real_escape_string($address, $link),
|
||||
mysql_real_escape_string($comment, $link));
|
||||
mysql_real_escape_string($comment, $link),
|
||||
intval($banId));
|
||||
perform_query($query, $link);
|
||||
}
|
||||
mysql_close($link);
|
||||
@ -94,7 +95,7 @@ if (isset($_POST['address'])) {
|
||||
} else if (isset($_GET['id'])) {
|
||||
$banId = verifyparam('id', "/^\d{1,9}$/");
|
||||
$link = connect();
|
||||
$ban = select_one_row("select banid,(unix_timestamp(dtmtill)-unix_timestamp(CURRENT_TIMESTAMP)) as days,address,comment from ${mysqlprefix}chatban where banid = $banId", $link);
|
||||
$ban = select_one_row("select banid,(unix_timestamp(dtmtill)-unix_timestamp(CURRENT_TIMESTAMP)) as days,address,comment from ${mysqlprefix}chatban where banid = " . intval($banId), $link);
|
||||
mysql_close($link);
|
||||
|
||||
if ($ban) {
|
||||
|
||||
@ -38,7 +38,7 @@ if (isset($_GET['act']) && $_GET['act'] == 'del') {
|
||||
}
|
||||
|
||||
if (count($errors) == 0) {
|
||||
perform_query("delete from ${mysqlprefix}chatban where banid = $banId", $link);
|
||||
perform_query("delete from ${mysqlprefix}chatban where banid = " . intval($banId), $link);
|
||||
header("Location: $webimroot/operator/blocked.php");
|
||||
exit;
|
||||
}
|
||||
|
||||
@ -33,9 +33,9 @@ function load_canned_messages($locale, $groupid)
|
||||
global $mysqlprefix;
|
||||
$link = connect();
|
||||
$query = "select id, vcvalue from ${mysqlprefix}chatresponses " .
|
||||
"where locale = '" . $locale . "' AND (" .
|
||||
"where locale = '" . mysql_real_escape_string($locale, $link) . "' AND (" .
|
||||
($groupid
|
||||
? "groupid = $groupid"
|
||||
? "groupid = " . intval($groupid)
|
||||
: "groupid is NULL OR groupid = 0") .
|
||||
") order by vcvalue";
|
||||
|
||||
@ -50,7 +50,7 @@ function load_canned_messages($locale, $groupid)
|
||||
if ($i > 0) {
|
||||
$updatequery .= ", ";
|
||||
}
|
||||
$updatequery .= "('" . mysql_real_escape_string($result[$i]['vcvalue'], $link) . "','$locale', NULL)";
|
||||
$updatequery .= "('" . mysql_real_escape_string($result[$i]['vcvalue'], $link) . "','". mysql_real_escape_string($locale, $link) . "', NULL)";
|
||||
}
|
||||
perform_query($updatequery, $link);
|
||||
$result = select_multi_assoc($query, $link);
|
||||
@ -108,7 +108,7 @@ if (isset($_GET['act']) && $_GET['act'] == 'delete') {
|
||||
|
||||
if (count($errors) == 0) {
|
||||
$link = connect();
|
||||
perform_query("delete from ${mysqlprefix}chatresponses where id = $key", $link);
|
||||
perform_query("delete from ${mysqlprefix}chatresponses where id = " . intval($key), $link);
|
||||
mysql_close($link);
|
||||
header("Location: $webimroot/operator/canned.php?lang=$lang&group=$groupid");
|
||||
exit;
|
||||
|
||||
@ -23,7 +23,7 @@ function load_message($key)
|
||||
{
|
||||
global $mysqlprefix;
|
||||
$link = connect();
|
||||
$result = select_one_row("select vcvalue from ${mysqlprefix}chatresponses where id = $key", $link);
|
||||
$result = select_one_row("select vcvalue from ${mysqlprefix}chatresponses where id = " . intval($key), $link);
|
||||
mysql_close($link);
|
||||
return $result ? $result['vcvalue'] : null;
|
||||
}
|
||||
@ -33,7 +33,7 @@ function save_message($key, $message)
|
||||
global $mysqlprefix;
|
||||
$link = connect();
|
||||
perform_query("update ${mysqlprefix}chatresponses set vcvalue = '" . mysql_real_escape_string($message, $link) . "' " .
|
||||
"where id = $key", $link);
|
||||
"where id = " . intval($key), $link);
|
||||
mysql_close($link);
|
||||
}
|
||||
|
||||
@ -41,8 +41,8 @@ function add_message($locale, $groupid, $message)
|
||||
{
|
||||
global $mysqlprefix;
|
||||
$link = connect();
|
||||
perform_query("insert into ${mysqlprefix}chatresponses (locale,groupid,vcvalue) values ('$locale'," .
|
||||
($groupid ? "$groupid, " : "null, ") .
|
||||
perform_query("insert into ${mysqlprefix}chatresponses (locale,groupid,vcvalue) values ('" . mysql_real_escape_string($locale, $link) . "'," .
|
||||
($groupid ? intval($groupid) . ", " : "null, ") .
|
||||
"'" . mysql_real_escape_string($message, $link) . "')", $link);
|
||||
mysql_close($link);
|
||||
}
|
||||
|
||||
@ -41,16 +41,16 @@ function create_group($name, $descr, $commonname, $commondescr, $email)
|
||||
$link = connect();
|
||||
$query = sprintf(
|
||||
"insert into ${mysqlprefix}chatgroup (vclocalname,vclocaldescription,vccommonname,vccommondescription,vcemail) values ('%s','%s','%s','%s','%s')",
|
||||
mysql_real_escape_string($name),
|
||||
mysql_real_escape_string($descr),
|
||||
mysql_real_escape_string($commonname),
|
||||
mysql_real_escape_string($commondescr),
|
||||
mysql_real_escape_string($email));
|
||||
mysql_real_escape_string($name, $link),
|
||||
mysql_real_escape_string($descr, $link),
|
||||
mysql_real_escape_string($commonname, $link),
|
||||
mysql_real_escape_string($commondescr, $link),
|
||||
mysql_real_escape_string($email, $link));
|
||||
|
||||
perform_query($query, $link);
|
||||
$id = mysql_insert_id($link);
|
||||
|
||||
$newdep = select_one_row("select * from ${mysqlprefix}chatgroup where groupid = $id", $link);
|
||||
$newdep = select_one_row("select * from ${mysqlprefix}chatgroup where groupid = " . intval($id), $link);
|
||||
mysql_close($link);
|
||||
return $newdep;
|
||||
}
|
||||
@ -61,12 +61,12 @@ function update_group($groupid, $name, $descr, $commonname, $commondescr, $email
|
||||
$link = connect();
|
||||
$query = sprintf(
|
||||
"update ${mysqlprefix}chatgroup set vclocalname = '%s', vclocaldescription = '%s', vccommonname = '%s', vccommondescription = '%s', vcemail = '%s' where groupid = %s",
|
||||
mysql_real_escape_string($name),
|
||||
mysql_real_escape_string($descr),
|
||||
mysql_real_escape_string($commonname),
|
||||
mysql_real_escape_string($commondescr),
|
||||
mysql_real_escape_string($email),
|
||||
$groupid);
|
||||
mysql_real_escape_string($name, $link),
|
||||
mysql_real_escape_string($descr, $link),
|
||||
mysql_real_escape_string($commonname, $link),
|
||||
mysql_real_escape_string($commondescr, $link),
|
||||
mysql_real_escape_string($email, $link),
|
||||
intval($groupid));
|
||||
|
||||
perform_query($query, $link);
|
||||
mysql_close($link);
|
||||
|
||||
@ -26,7 +26,7 @@ function get_group_members($groupid)
|
||||
{
|
||||
global $mysqlprefix;
|
||||
$link = connect();
|
||||
$query = "select operatorid from ${mysqlprefix}chatgroupoperator where groupid = $groupid";
|
||||
$query = "select operatorid from ${mysqlprefix}chatgroupoperator where groupid = " . intval($groupid);
|
||||
$result = select_multi_assoc($query, $link);
|
||||
mysql_close($link);
|
||||
return $result;
|
||||
@ -36,9 +36,9 @@ function update_group_members($groupid, $newvalue)
|
||||
{
|
||||
global $mysqlprefix;
|
||||
$link = connect();
|
||||
perform_query("delete from ${mysqlprefix}chatgroupoperator where groupid = $groupid", $link);
|
||||
perform_query("delete from ${mysqlprefix}chatgroupoperator where groupid = " . intval($groupid), $link);
|
||||
foreach ($newvalue as $opid) {
|
||||
perform_query("insert into ${mysqlprefix}chatgroupoperator (groupid, operatorid) values ($groupid,$opid)", $link);
|
||||
perform_query(sprintf("insert into ${mysqlprefix}chatgroupoperator (groupid, operatorid) values (%s, %s)", intval($groupid), intval($opid)), $link);
|
||||
}
|
||||
mysql_close($link);
|
||||
}
|
||||
|
||||
@ -35,9 +35,9 @@ if (isset($_GET['act']) && $_GET['act'] == 'del') {
|
||||
|
||||
if (count($errors) == 0) {
|
||||
$link = connect();
|
||||
perform_query("delete from ${mysqlprefix}chatgroup where groupid = $groupid", $link);
|
||||
perform_query("delete from ${mysqlprefix}chatgroupoperator where groupid = $groupid", $link);
|
||||
perform_query("update ${mysqlprefix}chatthread set groupid = 0 where groupid = $groupid", $link);
|
||||
perform_query("delete from ${mysqlprefix}chatgroup where groupid = " . intval($groupid), $link);
|
||||
perform_query("delete from ${mysqlprefix}chatgroupoperator where groupid = " . intval($groupid), $link);
|
||||
perform_query("update ${mysqlprefix}chatthread set groupid = 0 where groupid = " . intval($groupid), $link);
|
||||
mysql_close($link);
|
||||
header("Location: $webimroot/operator/groups.php");
|
||||
exit;
|
||||
|
||||
@ -31,7 +31,7 @@ function notification_info($id)
|
||||
$link = connect();
|
||||
$notification = select_one_row(db_build_select(
|
||||
"id, locale, vckind, vcto, unix_timestamp(dtmcreated) as created, vcsubject, tmessage, refoperator", "${mysqlprefix}chatnotification",
|
||||
array("id = $id"), ""), $link);
|
||||
array("id = " . intval($id)), ""), $link);
|
||||
mysql_close($link);
|
||||
return $notification;
|
||||
}
|
||||
|
||||
@ -54,10 +54,10 @@ $page['allkinds'] = array('', 'mail', 'xmpp');
|
||||
|
||||
$conditions = array();
|
||||
if ($kind) {
|
||||
$conditions[] = "vckind = '$kind'";
|
||||
$conditions[] = "vckind = '" . mysql_real_escape_string($kind, $link) . "'";
|
||||
}
|
||||
if ($lang) {
|
||||
$conditions[] = "locale = '$lang'";
|
||||
$conditions[] = "locale = '" . mysql_real_escape_string($lang, $link) . "'";
|
||||
}
|
||||
|
||||
$link = connect();
|
||||
|
||||
@ -47,8 +47,8 @@ if (isset($_GET['act']) && $_GET['act'] == 'del') {
|
||||
|
||||
if (count($errors) == 0) {
|
||||
$link = connect();
|
||||
perform_query("delete from ${mysqlprefix}chatgroupoperator where operatorid = $operatorid", $link);
|
||||
perform_query("delete from ${mysqlprefix}chatoperator where operatorid = $operatorid", $link);
|
||||
perform_query("delete from ${mysqlprefix}chatgroupoperator where operatorid = " . intval($operatorid), $link);
|
||||
perform_query("delete from ${mysqlprefix}chatoperator where operatorid = " . intval($operatorid), $link);
|
||||
mysql_close($link);
|
||||
|
||||
header("Location: $webimroot/operator/operators.php");
|
||||
|
||||
@ -26,9 +26,9 @@ function update_operator_groups($operatorid, $newvalue)
|
||||
{
|
||||
global $mysqlprefix;
|
||||
$link = connect();
|
||||
perform_query("delete from ${mysqlprefix}chatgroupoperator where operatorid = $operatorid", $link);
|
||||
perform_query("delete from ${mysqlprefix}chatgroupoperator where operatorid = " . intval($operatorid), $link);
|
||||
foreach ($newvalue as $groupid) {
|
||||
perform_query("insert into ${mysqlprefix}chatgroupoperator (groupid, operatorid) values ($groupid,$operatorid)", $link);
|
||||
perform_query(sprintf("insert into ${mysqlprefix}chatgroupoperator (groupid, operatorid) values (%s,%s)", intval($groupid), intval($operatorid)), $link);
|
||||
}
|
||||
mysql_close($link);
|
||||
}
|
||||
|
||||
@ -26,8 +26,7 @@ function update_operator_permissions($operatorid, $newvalue)
|
||||
{
|
||||
global $mysqlprefix;
|
||||
$link = connect();
|
||||
$query = "update ${mysqlprefix}chatoperator set iperm = $newvalue where operatorid = $operatorid";
|
||||
|
||||
$query = sprintf("update ${mysqlprefix}chatoperator set iperm = %s where operatorid = %s", intval($newvalue), intval($operatorid));
|
||||
perform_query($query, $link);
|
||||
mysql_close($link);
|
||||
}
|
||||
|
||||
@ -65,7 +65,7 @@ if (isset($_GET['nextGroup'])) {
|
||||
$link = connect();
|
||||
$threadupdate = array("istate" => $state_waiting, "nextagent" => $nextid, "agentId" => 0);
|
||||
if ($thread['groupid'] != 0) {
|
||||
if (FALSE === select_one_row("select groupid from ${mysqlprefix}chatgroupoperator where operatorid = $nextid and groupid = " . $thread['groupid'], $link)) {
|
||||
if (FALSE === select_one_row("select groupid from ${mysqlprefix}chatgroupoperator where operatorid = " . intval($nextid) . " and groupid = " . intval($thread['groupid']), $link)) {
|
||||
$threadupdate['groupid'] = 0;
|
||||
}
|
||||
}
|
||||
|
||||
@ -49,7 +49,7 @@ if (count($errors) == 0 && isset($_POST['password'])) {
|
||||
$page['isdone'] = true;
|
||||
|
||||
$link = connect();
|
||||
$query = "update ${mysqlprefix}chatoperator set vcpassword = '" . md5($password) . "', vcrestoretoken = '' where operatorid = " . $opId;
|
||||
$query = "update ${mysqlprefix}chatoperator set vcpassword = '" . md5($password) . "', vcrestoretoken = '' where operatorid = " . intval($opId);
|
||||
perform_query($query, $link);
|
||||
mysql_close($link);
|
||||
|
||||
|
||||
@ -41,7 +41,7 @@ if (isset($_POST['loginoremail'])) {
|
||||
$token = md5((time() + microtime()) . rand(0, 99999999));
|
||||
|
||||
$link = connect();
|
||||
$query = "update ${mysqlprefix}chatoperator set dtmrestore = CURRENT_TIMESTAMP, vcrestoretoken = '$token' where operatorid = " . $torestore['operatorid'];
|
||||
$query = sprintf("update ${mysqlprefix}chatoperator set dtmrestore = CURRENT_TIMESTAMP, vcrestoretoken = '%s' where operatorid = %s", mysql_real_escape_string($token, $link), intval($torestore['operatorid']));
|
||||
perform_query($query, $link);
|
||||
|
||||
$href = get_app_location(true, false) . "/operator/resetpwd.php?id=" . $torestore['operatorid'] . "&token=$token";
|
||||
|
||||
@ -65,15 +65,15 @@ if ($start > $end) {
|
||||
|
||||
$link = connect();
|
||||
|
||||
$page['reportByDate'] = select_multi_assoc("select DATE(dtmcreated) as date, COUNT(distinct threadid) as threads, SUM(${mysqlprefix}chatmessage.ikind = $kind_agent) as agents, SUM(${mysqlprefix}chatmessage.ikind = $kind_user) as users " .
|
||||
"from ${mysqlprefix}chatmessage where unix_timestamp(dtmcreated) >= $start AND unix_timestamp(dtmcreated) < $end group by DATE(dtmcreated) order by dtmcreated desc", $link);
|
||||
$page['reportByDate'] = select_multi_assoc("select DATE(dtmcreated) as date, COUNT(distinct threadid) as threads, SUM(${mysqlprefix}chatmessage.ikind = " . intval($kind_agent) . ") as agents, SUM(${mysqlprefix}chatmessage.ikind = " . intval($kind_user) . ") as users " .
|
||||
"from ${mysqlprefix}chatmessage where unix_timestamp(dtmcreated) >= " . intval($start) . " AND unix_timestamp(dtmcreated) < " . intval($end) . " group by DATE(dtmcreated) order by dtmcreated desc", $link);
|
||||
|
||||
$page['reportByDateTotal'] = select_one_row("select COUNT(distinct threadid) as threads, SUM(${mysqlprefix}chatmessage.ikind = $kind_agent) as agents, SUM(${mysqlprefix}chatmessage.ikind = $kind_user) as users " .
|
||||
"from ${mysqlprefix}chatmessage where unix_timestamp(dtmcreated) >= $start AND unix_timestamp(dtmcreated) < $end", $link);
|
||||
$page['reportByDateTotal'] = select_one_row("select COUNT(distinct threadid) as threads, SUM(${mysqlprefix}chatmessage.ikind = " . intval($kind_agent) . ") as agents, SUM(${mysqlprefix}chatmessage.ikind = " . intval($kind_user) . ") as users " .
|
||||
"from ${mysqlprefix}chatmessage where unix_timestamp(dtmcreated) >= " . intval($start) . " AND unix_timestamp(dtmcreated) < " . intval($end), $link);
|
||||
|
||||
$page['reportByAgent'] = select_multi_assoc("select vclocalename as name, COUNT(distinct threadid) as threads, SUM(ikind = $kind_agent) as msgs, AVG(CHAR_LENGTH(tmessage)) as avglen " .
|
||||
$page['reportByAgent'] = select_multi_assoc("select vclocalename as name, COUNT(distinct threadid) as threads, SUM(ikind = " . intval($kind_agent) . ") as msgs, AVG(CHAR_LENGTH(tmessage)) as avglen " .
|
||||
"from ${mysqlprefix}chatmessage, ${mysqlprefix}chatoperator " .
|
||||
"where agentId = operatorid AND unix_timestamp(dtmcreated) >= $start AND unix_timestamp(dtmcreated) < $end group by operatorid", $link);
|
||||
"where agentId = operatorid AND unix_timestamp(dtmcreated) >= " . intval($start) . " AND unix_timestamp(dtmcreated) < " . intval($end) . " group by operatorid", $link);
|
||||
|
||||
$page['showresults'] = count($errors) == 0;
|
||||
|
||||
|
||||
@ -35,7 +35,7 @@ function thread_info($id)
|
||||
"unix_timestamp(dtmmodified) as modified, unix_timestamp(dtmcreated) as created," .
|
||||
"vclocalname as groupName " .
|
||||
"from ${mysqlprefix}chatthread left join ${mysqlprefix}chatgroup on ${mysqlprefix}chatthread.groupid = ${mysqlprefix}chatgroup.groupid " .
|
||||
"where threadid = " . $id, $link);
|
||||
"where threadid = " . intval($id), $link);
|
||||
mysql_close($link);
|
||||
return $thread;
|
||||
}
|
||||
|
||||
@ -98,7 +98,7 @@ $can_viewthreads, $can_takeover, $mysqlprefix;
|
||||
$userAgent = get_useragent_version($thread['userAgent']);
|
||||
$result .= "<useragent>" . safe_htmlspecialchars(safe_htmlspecialchars($userAgent)) . "</useragent>";
|
||||
if ($thread["shownmessageid"] != 0) {
|
||||
$query = "select tmessage from ${mysqlprefix}chatmessage where messageid = " . $thread["shownmessageid"];
|
||||
$query = "select tmessage from ${mysqlprefix}chatmessage where messageid = " . intval($thread["shownmessageid"]);
|
||||
$line = select_one_row($query, $link);
|
||||
if ($line) {
|
||||
$message = preg_replace("/[\r\n\t]+/", " ", $line["tmessage"]);
|
||||
@ -116,19 +116,22 @@ function print_pending_threads($groupids, $since)
|
||||
|
||||
$revision = $since;
|
||||
$output = array();
|
||||
|
||||
$groupids = join(",", array_map("intval", preg_split('/,/', $groupids)));
|
||||
|
||||
$query = "select threadid, userName, agentName, unix_timestamp(dtmcreated), userTyping, " .
|
||||
"unix_timestamp(dtmmodified), lrevision, istate, remote, nextagent, agentId, userid, shownmessageid, userAgent, (select vclocalname from ${mysqlprefix}chatgroup where ${mysqlprefix}chatgroup.groupid = ${mysqlprefix}chatthread.groupid) as groupname " .
|
||||
"from ${mysqlprefix}chatthread where lrevision > $since " .
|
||||
"from ${mysqlprefix}chatthread where lrevision > " . intval($since) .
|
||||
($since <= 0
|
||||
? "AND istate <> $state_closed AND istate <> $state_left "
|
||||
? " AND istate <> " . intval($state_closed) . " AND istate <> " . intval($state_left)
|
||||
: "") .
|
||||
($settings['enablegroups'] == '1'
|
||||
? "AND (groupid is NULL" . ($groupids
|
||||
? " AND (groupid is NULL" . ($groupids
|
||||
? " OR groupid IN ($groupids)"
|
||||
: "") .
|
||||
") "
|
||||
")"
|
||||
: "") .
|
||||
"ORDER BY threadid";
|
||||
" ORDER BY threadid";
|
||||
$rows = select_multi_assoc($query, $link);
|
||||
foreach ($rows as $row) {
|
||||
$thread = thread_to_xml($row, $link);
|
||||
|
||||
@ -44,7 +44,7 @@ function threads_by_userid($userid)
|
||||
$query = sprintf("select unix_timestamp(dtmcreated) as created, unix_timestamp(dtmmodified) as modified, " .
|
||||
" threadid, remote, agentName, userName " .
|
||||
"from ${mysqlprefix}chatthread " .
|
||||
"where userid=\"$userid\" order by created DESC", $userid);
|
||||
"where userid=%s order by created DESC", intval($userid));
|
||||
|
||||
$result = mysql_query($query, $link) or die(' Query failed: ' . mysql_error($link));
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user