From 8f52a0530e35e87e5624e1bb84283aa58ea78e2b Mon Sep 17 00:00:00 2001 From: niekt0 Date: Wed, 28 Sep 2011 01:30:56 +0200 Subject: [PATCH] removing warnings --- wwwroot/inc/senate.inc | 2 ++ .../function.get_nodes_by_parent.php | 16 +++++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/wwwroot/inc/senate.inc b/wwwroot/inc/senate.inc index 2219113..1acd0f2 100644 --- a/wwwroot/inc/senate.inc +++ b/wwwroot/inc/senate.inc @@ -14,6 +14,8 @@ define('DEF_DATA_TEMPLATE',12); define('DEF_GALLERY_TEMPLATE',1041658); define('DEF_LAST_NODE',23); +define('DEF_MAX_LISTING_AMMOUNT',100); + // 1961061 citizens? // 1061495 citizens? // 1961070 citizens? diff --git a/wwwroot/inc/smarty/node_methodz/function.get_nodes_by_parent.php b/wwwroot/inc/smarty/node_methodz/function.get_nodes_by_parent.php index b392c51..35c1aa3 100644 --- a/wwwroot/inc/smarty/node_methodz/function.get_nodes_by_parent.php +++ b/wwwroot/inc/smarty/node_methodz/function.get_nodes_by_parent.php @@ -11,26 +11,28 @@ function smarty_function_get_nodes_by_parent($params,&$smarty) { } $parent_vectot=$parent['node_vector']; - if ($params['listing_amount']=='all') $listing_amount='100'; // XXX remove constant + if ($params['listing_amount']=='all') $listing_amount=DEF_MAX_LISTING_AMMOUNT; else $listing_amount=$params['listing_amount']; if (empty($params['offset'])) $offset=0; else $offset=$params['offset']; - if ($params['orderby']) { - $orderby=addslashes($params['orderby']); + if (isset($params['orderby'])) { + $orderby=db_escape_string($params['orderby']); } global $db,$node; $node_id=$node['node_id']; $user_id=$_SESSION['user_id']; -if ($params['time']) $sql_time=" nodes.node_created > '".addslashes($params['time'])."' and "; + if (isset($params['time'])) { + $sql_time=" nodes.node_created > '".db_escape_string($params['time'])."' and "; + } $q="select parent.node_name as parent_name,users.*,nodes.*,node_access.node_user_subchild_count from nodes left join nodes as parent on parent.node_id=nodes.node_parent left join node_access on node_access.node_id=nodes.node_id and node_access.user_id='$user_id' left join users on users.user_id=nodes.node_creator where "; $q.=" $sql_time nodes.node_parent='$parent' and nodes.node_system_access!='private'"; - if ($_POST['template_event']=='filter_by') { - if ($_POST['search_type']=='content') - $sql_type.=" and node_content like '%".addslashes($_POST['node_content'])."%' "; + if (isset($_POST['template_event']) && $_POST['template_event']=='filter_by') { + if (isset($_POST['search_type']) && $_POST['search_type']=='content') + $sql_type.=" and node_content like '%".db_escape_string($_POST['node_content'])."%' "; else { $q2="select user_id from users where login='".db_escape_string($_POST['node_content'])."'"; $userset=$db->query($q2); -- 2.30.2