\r
// get next and prev month links ...\r
global $archivenext, $archiveprev, $archivetype, $archivenextexists, $archiveprevexists;\r
- \r
+\r
// sql queries for the timestamp of the first and the last published item\r
$query = "SELECT UNIX_TIMESTAMP(itime) as result FROM ".sql_table('item')." WHERE idraft=0 AND iblog=".(int)($blogid ? $blogid : $CONF['DefaultBlog'])." ORDER BY itime ASC";\r
$first_timestamp=quickQuery ($query);\r
if ($d != 0) {\r
$archivetype = _ARCHIVETYPE_DAY;\r
$t = mktime(0, 0, 0, $m, $d, $y);\r
- // one day has 24 * 60 * 60 = 86400 seconds \r
+ // one day has 24 * 60 * 60 = 86400 seconds\r
$archiveprev = strftime('%Y-%m-%d', $t - 86400 );\r
- // check for published items \r
+ // check for published items\r
if ($t > $first_timestamp) {\r
$archiveprevexists = true;\r
}\r
else {\r
$archiveprevexists = false;\r
}\r
- \r
+\r
// one day later\r
- $t += 86400; \r
+ $t += 86400;\r
$archivenext = strftime('%Y-%m-%d', $t);\r
if ($t < $last_timestamp) {\r
$archivenextexists = true;\r
else {\r
$archivenextexists = false;\r
}\r
- \r
+\r
} else {\r
$archivetype = _ARCHIVETYPE_MONTH;\r
$t = mktime(0, 0, 0, $m, 1, $y);\r
else {\r
$archiveprevexists = false;\r
}\r
- \r
- // timestamp for the next month \r
+\r
+ // timestamp for the next month\r
$t = mktime(0, 0, 0, $m+1, 1, $y);\r
$archivenext = strftime('%Y-%m', $t);\r
if ($t < $last_timestamp) {\r
\r
function helpHtml($id) {\r
global $CONF;\r
- return helplink($id) . '<img src="' . $CONF['AdminURL'] . 'documentation/icon-help.gif" width="15" height="15" alt="' . _HELP_TT . '" /></a>';\r
+ return helplink($id) . '<img src="' . $CONF['AdminURL'] . 'documentation/icon-help.gif" width="15" height="15" alt="' . _HELP_TT . '" title="' . _HELP_TT . '" /></a>';\r
}\r
\r
function helplink($id) {\r
}\r
\r
\r
-/** \r
+/**\r
* Sanitize parameters such as $_GET and $_SERVER['REQUEST_URI'] etc.\r
- * to avoid XSS \r
+ * to avoid XSS\r
*/\r
function sanitizeParams()\r
{\r
global $HTTP_SERVER_VARS;\r
- \r
+\r
$array = array();\r
$str = '';\r
$frontParam = '';\r
- \r
+\r
// REQUEST_URI of $HTTP_SERVER_VARS\r
$str =& $HTTP_SERVER_VARS["REQUEST_URI"];\r
serverStringToArray($str, $array, $frontParam);\r
sanitizeArray($array);\r
arrayToServerString($array, $frontParam, $str);\r
- \r
+\r
// QUERY_STRING of $HTTP_SERVER_VARS\r
$str =& $HTTP_SERVER_VARS["QUERY_STRING"];\r
serverStringToArray($str, $array, $frontParam);\r
sanitizeArray($array);\r
arrayToServerString($array, $frontParam, $str);\r
- \r
+\r
if (phpversion() >= '4.1.0') {\r
// REQUEST_URI of $_SERVER\r
$str =& $_SERVER["REQUEST_URI"];\r
serverStringToArray($str, $array, $frontParam);\r
sanitizeArray($array);\r
arrayToServerString($array, $frontParam, $str);\r
- \r
+\r
// QUERY_STRING of $_SERVER\r
$str =& $_SERVER["QUERY_STRING"];\r
serverStringToArray($str, $array, $frontParam);\r
sanitizeArray($array);\r
arrayToServerString($array, $frontParam, $str);\r
}\r
- \r
+\r
// $_GET\r
convArrayForSanitizing($_GET, $array);\r
sanitizeArray($array);\r
revertArrayForSanitizing($array, $_GET);\r
- \r
+\r
// $_REQUEST (only GET param)\r
convArrayForSanitizing($_REQUEST, $array);\r
sanitizeArray($array);\r
revertArrayForSanitizing($array, $_REQUEST);\r
}\r
\r
-/** \r
+/**\r
* Check ticket when not checked in plugin's admin page\r
* to avoid CSRF.\r
* Also avoid the access to plugin/index.php by guest user.\r
*/\r
function ticketForPlugin(){\r
global $CONF,$DIR_PLUGINS,$member,$ticketforplugin;\r
- \r
+\r
/* initialize */\r
$ticketforplugin=array();\r
$ticketforplugin['ticket']=false;\r
- \r
+\r
/* Check if using plugin's php file. */\r
if ($p_translated=serverVar('PATH_TRANSLATED')) {\r
if (!file_exists($p_translated)) $p_translated='';\r
$p_translated=str_replace('\\','/',$p_translated);\r
$d_plugins=str_replace('\\','/',$DIR_PLUGINS);\r
if (strpos($p_translated,$d_plugins)!==0) return;// This isn't plugin php file.\r
- \r
+\r
/* Solve the plugin php file or admin directory */\r
$phppath=substr($p_translated,strlen($d_plugins));\r
$phppath=preg_replace('!^/!','',$phppath);// Remove the first "/" if exists.\r
$path=preg_replace('/^NP_(.*)\.php$/','$1',$phppath); // Remove the first "NP_" and the last ".php" if exists.\r
$path=preg_replace('!^([^/]*)/(.*)$!','$1',$path); // Remove the "/" and beyond.\r
- \r
+\r
/* Solve the plugin name. */\r
$plugins=array();\r
$query='SELECT pfile FROM '.sql_table('plugin');\r
header("HTTP/1.0 404 Not Found");\r
exit('');\r
}\r
- \r
+\r
/* Return if not index.php */\r
if ( $phppath!=strtolower($plugin_name).'/'\r
&& $phppath!=strtolower($plugin_name).'/index.php' ) return;\r
- \r
+\r
/* Exit if not logged in. */\r
if ( !$member->isLoggedIn() ) exit("You aren't logged in.");\r
- \r
+\r
global $manager,$DIR_LIBS,$DIR_LANG,$HTTP_GET_VARS,$HTTP_POST_VARS;\r
- \r
+\r
/* Check if this feature is needed (ie, if "$manager->checkTicket()" is not included in the script). */\r
if (!($p_translated=serverVar('PATH_TRANSLATED'))) $p_translated=serverVar('SCRIPT_FILENAME');\r
if ($file=@file($p_translated)) {\r
$prevline=$line;\r
}\r
}\r
- \r
+\r
/* Show a form if not valid ticket */\r
if ( ( strstr(serverVar('REQUEST_URI'),'?') || serverVar('QUERY_STRING')\r
|| strtoupper(serverVar('REQUEST_METHOD'))=='POST' )\r
$oPluginAdmin = new PluginAdmin($plugin_name);\r
$oPluginAdmin->start();\r
echo '<p>' . _ERROR_BADTICKET . "</p>\n";\r
- \r
+\r
/* Show the form to confirm action */\r
// PHP 4.0.x support\r
$get= (isset($_GET)) ? $_GET : $HTTP_GET_VARS;\r
echo '<input type="submit" value="'._YES.'" /> ';\r
echo '<input type="button" value="'._NO.'" onclick="history.back(); return false;" />';\r
echo "</form>\n";\r
- \r
+\r
$oPluginAdmin->end();\r
exit;\r
}\r
- \r
+\r
/* Create new ticket */\r
$ticket=$manager->addTicketToUrl('');\r
$ticketforplugin['ticket']=substr($ticket,strpos($ticket,'ticket=')+7);\r
}\r
}\r
\r
-/** \r
+/**\r
* Convert the server string such as $_SERVER['REQUEST_URI']\r
* to arry like arry['blogid']=1 and array['page']=2 etc.\r
*/\r
$args = $str;\r
$frontParam = "";\r
}\r
- \r
+\r
// If there is no args like blogid=1&page=2, return\r
if (!strstr($str, "=") && !strlen($frontParam)) {\r
$frontParam = $str;\r
$array = explode("&", $args);\r
}\r
\r
-/** \r
+/**\r
* Convert array like array['blogid'] to server string\r
* such as $_SERVER['REQUEST_URI']\r
*/\r
}\r
}\r
\r
-/** \r
+/**\r
* Sanitize array parameters.\r
* This function checks both key and value.\r
* - check key if it inclues " (double quote), remove from array\r
* - check value if it includes \ (escape sequece), remove remaining string\r
*/\r
function sanitizeArray(&$array)\r
-{ \r
+{\r
$excludeListForSanitization = array('query');\r
// $excludeListForSanitization = array();\r
\r
$val = stripslashes($val);\r
}\r
$val = addslashes($val);\r
- \r
+\r
// if $key is included in exclude list, skip this param\r
if (!in_array($key, $excludeListForSanitization)) {\r
- \r
+\r
// check value\r
@list($val, $tmp) = explode('\\', $val);\r
- \r
+\r
// remove control code etc.\r
$val = strtr($val, "\0\r\n<>'\"", " ");\r
- \r
+\r
// check key\r
if (preg_match('/\"/i', $key)) {\r
unset($array[$k]);\r
continue;\r
}\r
- \r
+\r
// set sanitized info\r
$array[$k] = sprintf("%s=%s", $key, $val);\r
}\r
$data = str_replace('\n', '<br />', $data); //hack\r
return $data;\r
}\r
- \r
+\r
/**\r
* Returns the Javascript code for a bookmarklet that works on most modern browsers\r
*\r