X-Git-Url: http://git.harvie.cz/?a=blobdiff_plain;f=wwwroot%2Finc%2Fsmarty%2Fnode_methodz%2Ffunction.get_nodes_by_parent.php;h=9fb36599c53b0720cab628d2dc42ecebcb6e6d81;hb=d9b4dfbcb3d920445869db2c3abd706ee6916286;hp=dc9c011cde8436451f34be8bfeee1a937e0eaebd;hpb=ccb9c667e7fdb56dfc2aa3c800328511a26dffb8;p=mirrors%2FKyberia-bloodline.git

diff --git a/wwwroot/inc/smarty/node_methodz/function.get_nodes_by_parent.php b/wwwroot/inc/smarty/node_methodz/function.get_nodes_by_parent.php
index dc9c011..9fb3659 100644
--- a/wwwroot/inc/smarty/node_methodz/function.get_nodes_by_parent.php
+++ b/wwwroot/inc/smarty/node_methodz/function.get_nodes_by_parent.php
@@ -3,6 +3,8 @@
 function smarty_function_get_nodes_by_parent($params,&$smarty) {
 	global $node;
 
+	$sql_time="";
+	$sql_type="";
 	$parent=$params['parent'];
 	$permissions=permissions::checkPerms($parent);
 	if (!$permissions['r']) {
@@ -11,28 +13,31 @@ function smarty_function_get_nodes_by_parent($params,&$smarty) {
 	}
 	$parent_vectot=$parent['node_vector'];
 
-	if ($params['listing_amount']=='all') $listing_amount='100'; // XXX remove constant
+	if ($params['listing_amount']=='all') $listing_amount=DEF_MAX_LISTING_AMMOUNT;
 	else $listing_amount=$params['listing_amount'];
 	if (empty($params['offset'])) $offset=0;
 	else $offset=$params['offset'];
 
-	if ($params['orderby']) {
- 			$orderby=addslashes($params['orderby']);
+	if (isset($params['orderby'])) {
+ 		$orderby=db_escape_string($params['orderby']);
 	}
 
 	global $db,$node;
 	$node_id=$node['node_id'];
 	$user_id=$_SESSION['user_id'];
-if ($params['time']) $sql_time=" nodes.node_created > '".addslashes($params['time'])."' and ";
+	if (isset($params['time'])) {
+		$sql_time=" nodes.node_created > '".db_escape_string($params['time'])."' and ";
+	}
+
 	$q="select parent.node_name as parent_name,users.*,nodes.*,node_access.node_user_subchild_count from nodes left join nodes as parent on parent.node_id=nodes.node_parent left join node_access on node_access.node_id=nodes.node_id and node_access.user_id='$user_id' left  join users on users.user_id=nodes.node_creator where ";
 	$q.=" $sql_time nodes.node_parent='$parent' and nodes.node_system_access!='private'";
 
 
-                if ($_POST['template_event']=='filter_by') {
-                if ($_POST['search_type']=='content')
-       			         $sql_type.=" and node_content like '%".addslashes($_POST['node_content'])."%' ";
+                if (isset($_POST['template_event']) && $_POST['template_event']=='filter_by') {
+                if (isset($_POST['search_type']) && $_POST['search_type']=='content')
+       			         $sql_type.=" and node_content like '%".db_escape_string($_POST['node_content'])."%' ";
 		else {
-	                $q2="select user_id from users where login='".mysql_real_escape_string($_POST['node_content'])."'";
+	                $q2="select user_id from users where login='".db_escape_string($_POST['node_content'])."'";
 	                $userset=$db->query($q2);
 	                $userset->next();
 	                $id=$userset->getString('user_id');
@@ -41,7 +46,7 @@ if ($params['time']) $sql_time=" nodes.node_created > '".addslashes($params['tim
         	        $q.=$sql_type;
         }
 
-	if ($orderby) $q.=" order by $orderby ";
+	if (isset($orderby)) $q.=" order by $orderby ";
 	else $q.=" order by nodes.node_id desc ";
 	$q.= " LIMIT $offset,$listing_amount ";
 	$set=$db->query($q);