WordPress.org

Plugin Directory


Ignore:
Timestamp:
04/30/11 00:54:20 (3 years ago)
Author:
mark8barnes
Message:

0.44 - Fixes several bugs (including an important security fix), and adds support for the admin bar in WordPress 3.1

Location:
sermon-browser/trunk
Files:
9 edited

Legend:

Unmodified
Added
Removed
  • sermon-browser/trunk/sb-includes/admin.php

    r378906 r379041  
    4545        sb_update_option('filter_hide', 'hide'); 
    4646        sb_update_option('hide_no_attachments', false); 
    47         if (!is_dir(SB_ABSPATH.$dir)) 
     47           if (!is_dir(SB_ABSPATH.$dir)) 
    4848            if (sb_mkdir(SB_ABSPATH.$dir)) 
    4949                @chmod(SB_ABSPATH.$dir, 0777); 
     
    6161        if ($books != $eng_books) { 
    6262            $sermon_books = $wpdb->get_results("SELECT id, start, end FROM {$wpdb->prefix}sb_sermons"); 
    63             foreach ($sermon_books as $sermon_book) { 
     63             foreach ($sermon_books as $sermon_book) { 
    6464                $start_verse = unserialize($sermon_book->start); 
    6565                $end_verse = unserialize($sermon_book->end); 
     
    7676        } 
    7777 
    78         $checkSermonUpload = sb_checkSermonUploadable(); 
    79         switch ($checkSermonUpload) { 
     78           $checkSermonUpload = sb_checkSermonUploadable(); 
     79           switch ($checkSermonUpload) { 
    8080            case "unwriteable": 
    8181                echo '<div id="message" class="updated fade"><p><b>'; 
     
    122122        sb_update_option ('import_filename', $_POST['import_filename']); 
    123123        sb_update_option ('hide_no_attachments', isset($_POST['hide_no_attachments'])); 
    124         if (!is_dir(SB_ABSPATH.$dir)) 
     124           if (!is_dir(SB_ABSPATH.$dir)) 
    125125            if (sb_mkdir(SB_ABSPATH.$dir)) 
    126126                @chmod(SB_ABSPATH.$dir, 0777); 
    127127        if(!is_dir(SB_ABSPATH.$dir.'images') && sb_mkdir(SB_ABSPATH.$sermonUploadDir.'images')) 
    128128            @chmod(SB_ABSPATH.$dir.'images', 0777); 
    129         $checkSermonUpload = sb_checkSermonUploadable(); 
    130         switch ($checkSermonUpload) { 
    131         case "unwriteable": 
     129           $checkSermonUpload = sb_checkSermonUploadable(); 
     130           switch ($checkSermonUpload) { 
     131           case "unwriteable": 
    132132            echo '<div id="message" class="updated fade"><p><b>'; 
    133133            _e('Error: The upload folder is not writeable. You need to CHMOD the folder to 666 or 777.', $sermon_domain); 
     
    314314                     _e('and will deactivate the SermonBrowser plugin', $sermon_domain); 
    315315                     echo '. '; 
    316                      _e('You will NOT be able to undo this action.', $sermon_domain) ?> 
     316                     _e('You will NOT be able to undo this action.', $sermon_domain); 
     317                     echo ' '; 
     318                     _e('If you only want to temporarily disable SermonBrowser, just deactivate it from the plugins page.', $sermon_domain); ?> 
    317319            </p> 
    318320        <?php } ?> 
     
    594596            var s = 'lol'; 
    595597            while ((s.indexOf('@') == -1) || (s.match(/(.*?)@(.*)/)[2].match(/[0-9]{1,2}:[0-9]{1,2}/) == null)) { 
    596                 s = prompt("New service's name - default time?", "Service's name @ 18:00"); 
     598                s = prompt("<?php _e("New service's name @ default time?", $sermon_domain)?>", "<?php _e("Service's name @ 18:00", $sermon_domain)?>"); 
    597599                if (s == null) { break; } 
    598600            } 
     
    620622        } 
    621623        function createNewSeries(s) { 
    622             var ss = prompt("New series' name?", "Series' name"); 
     624            var ss = prompt("<?php _e("New series' name?", $sermon_domain)?>", "<?php _e("Series' name", $sermon_domain)?>"); 
    623625            if (ss != null) { 
    624626                jQuery.post('<?php $_SERVER['PHP_SELF'] ?>?page=sermon-browser/sermon.php', {ssname: ss, sermon: 1}, function(r) { 
     
    659661        } 
    660662        function renameSeries(id, old) { 
    661             var ss = prompt("New series' name?", old); 
     663            var ss = prompt("<?php _e("New series' name?", $sermon_domain)?>", old); 
    662664            if (ss != null) { 
    663665                jQuery.post('<?php echo $_SERVER['PHP_SELF'] ?>?page=sermon-browser/sermon.php', {ssid: id, ssname: ss, sermon: 1}, function(r) { 
     
    673675            var s = 'lol'; 
    674676            while ((s.indexOf('@') == -1) || (s.match(/(.*?)@(.*)/)[2].match(/[0-9]{1,2}:[0-9]{1,2}/) == null)) { 
    675                 s = prompt("New service's name - default time?", old); 
     677                s = prompt("<?php _e("New service's name @ default time?", $sermon_domain)?>", old); 
    676678                if (s == null) { break; } 
    677679            } 
     
    10991101    if((ini_get('allow_url_fopen') | function_exists('curl_init')) & get_option('blog_public') == 1 & get_option('ping_sites') != "") { 
    11001102        $url = "http://ping.preachingcentral.com/?sg_ping"; 
    1101         $url .= "&name=".URLencode(get_option('blogname')); 
    1102         $url .= "&tagline=".URLencode(get_option('blogdescription')); 
    1103         $url .= "&site_url=".URLencode(get_option('home')); 
    1104         $url .= "&sermon_url=".URLencode(sb_display_url()); 
    1105         $url .= "&most_recent=".URLencode($wpdb->get_var("SELECT datetime FROM {$wpdb->prefix}sb_sermons ORDER BY datetime DESC LIMIT 1")); 
    1106         $url .= "&num_sermons=".URLencode($wpdb->get_var("SELECT COUNT(*) FROM {$wpdb->prefix}sb_sermons")); 
     1103        $url .= "&name=".rawurlencode(get_option('blogname')); 
     1104        $url .= "&tagline=".rawurlencode(get_option('blogdescription')); 
     1105        $url .= "&site_url=".rawurlencode(get_option('home')); 
     1106        $url .= "&sermon_url=".rawurlencode(sb_display_url()); 
     1107        $url .= "&most_recent=".rawurlencode($wpdb->get_var("SELECT datetime FROM {$wpdb->prefix}sb_sermons ORDER BY datetime DESC LIMIT 1")); 
     1108        $url .= "&num_sermons=".rawurlencode($wpdb->get_var("SELECT COUNT(*) FROM {$wpdb->prefix}sb_sermons")); 
    11071109        $url .= "&ver=".constant("SB_CURRENT_VERSION"); 
    1108         if (ini_get('allow_url_fopen')) { 
     1110         if (ini_get('allow_url_fopen')) { 
    11091111            $headers = @get_headers($url, 1); 
    11101112            if ($headers !="") { 
     
    11331135    global $wpdb, $sermon_domain; 
    11341136    //Security check 
    1135     if (function_exists('current_user_can')&&!(current_user_can('edit_posts')|current_user_can('publish_posts'))) 
     1137    if (function_exists('current_user_can') && !(current_user_can('publish_posts') || current_user_can('publish_pages'))) 
    11361138        wp_die(__("You do not have the correct permissions to edit sermons", $sermon_domain)); 
    11371139    sb_do_alerts(); 
     
    11391141        echo '<div id="message" class="updated fade"><p><b>'.__('Sermon saved to database.', $sermon_domain).'</b></div>'; 
    11401142        if (rand (1,5) == 1 && sb_get_option('show_donate_reminder') != 'off') 
    1141             echo '<div id="message" class="updated"><p><b>'.sprintf(__('If you find SermonBrowser useful, please consider a %1$ssmall donation%2$s.', $sermon_domain), '<a href="http://www.4-14.org.uk/sermon-browser#support" target="_blank">', '</a>').'</b></div>'; 
     1143            echo '<div id="message" class="updated"><p><b>'.sprintf(__('If you find SermonBrowser useful, please consider %1$ssupporting%2$s the ministry of Nathanael and Anna Ayling in Japan.', $sermon_domain), '<a href="'.sb_get_admin_url(null, 'admin.php?page=sermon-browser/japan.php').'">', '</a>').'</b></div>'; 
    11421144    } 
    11431145 
    11441146    if (isset($_GET['mid'])) { 
    11451147        //Security check 
    1146         if (function_exists('current_user_can')&&!current_user_can('edit_posts')) 
     1148        if (function_exists('current_user_can')&&!current_user_can('publish_posts')) 
    11471149            wp_die(__("You do not have the correct permissions to delete sermons", $sermon_domain)); 
    11481150        $mid = (int) $_GET['mid']; 
     
    12461248                        <td style="text-align:center"> 
    12471249                            <?php //Security check 
    1248                                     if (function_exists('current_user_can')&&current_user_can('edit_posts')) { ?> 
     1250                                    if (function_exists('current_user_can') && current_user_can('publish_posts')) { ?> 
    12491251                                    <a href="<?php echo $_SERVER['PHP_SELF']?>?page=sermon-browser/new_sermon.php&mid=<?php echo $sermon->id ?>"><?php _e('Edit', $sermon_domain) ?></a> | <a onclick="return confirm('Are you sure?')" href="<?php echo $_SERVER['PHP_SELF']?>?page=sermon-browser/sermon.php&mid=<?php echo $sermon->id ?>"><?php _e('Delete', $sermon_domain); ?></a> | 
    12501252                            <?php } ?> 
     
    12761278    $getid3=false; 
    12771279    //Security check 
    1278     if (!(current_user_can('edit_posts') | current_user_can('publish_posts'))) 
     1280    if (!(current_user_can('publish_posts') || current_user_can('publish_pages'))) 
    12791281        wp_die(__("You do not have the correct permissions to edit or create sermons", $sermon_domain)); 
    12801282    include_once (SB_ABSPATH.'/wp-includes/kses.php'); 
     
    12881290        $series_id = (int) $_POST['series']; 
    12891291        $time = isset($_POST['time']) ? $wpdb->escape($_POST['time']) : ''; 
     1292        $startz = $endz = array(); 
    12901293        for ($foo = 0; $foo < count($_POST['start']['book']); $foo++) { 
    12911294            if (!empty($_POST['start']['chapter'][$foo]) && !empty($_POST['end']['chapter'][$foo]) && !empty($_POST['start']['verse'][$foo]) && !empty($_POST['end']['verse'][$foo])) { 
     
    13241327        if (!$_GET['mid']) { // new 
    13251328            //Security check 
    1326             if (!current_user_can('publish_posts')) 
     1329            if (!current_user_can('publish_pages')) 
    13271330                wp_die(__("You do not have the correct permissions to create sermons", $sermon_domain)); 
    13281331            $wpdb->query("INSERT INTO {$wpdb->prefix}sb_sermons VALUES (null, '$title', '$preacher_id', '$date', '$service_id', '$series_id', '$start', '$end', '$description', '$time', '$override', 0)"); 
     
    13301333        } else { // edit 
    13311334            //Security check 
    1332             if (!current_user_can('edit_posts')) 
     1335            if (!current_user_can('publish_posts')) 
    13331336                wp_die(__("You do not have the correct permissions to edit sermons", $sermon_domain)); 
    13341337            $id = (int) $_GET['mid']; 
     
    14191422    if (isset($_GET['getid3'])) { 
    14201423        require_once('getid3/getid3.php'); 
    1421         $file_data = $wpdb->get_row("SELECT name, type FROM {$wpdb->prefix}sb_stuff WHERE id = ".$_GET['getid3']); 
     1424        $file_data = $wpdb->get_row("SELECT name, type FROM {$wpdb->prefix}sb_stuff WHERE id = ".$wpdb->escape($_GET['getid3'])); 
    14221425        if ($file_data !== NULL) { 
    14231426            $getID3 = new getID3; 
     
    15411544        <?php echo $timeArr ?> 
    15421545        function createNewPreacher(s) { 
    1543             if (jQuery('*[selected]', s).text() != 'Create new preacher') return; 
    1544             var p = prompt("New preacher's name?", "Preacher's name"); 
     1546            if (jQuery('#preacher')[0].value != 'newPreacher') return; 
     1547            var p = prompt("<?php _e("New preacher's name?", $sermon_domain)?>", "<?php _e("Preacher's name", $sermon_domain)?>"); 
    15451548            if (p != null) { 
    15461549                jQuery.post('<?php echo $_SERVER['PHP_SELF']?>?page=sermon-browser/sermon.php', {pname: p, sermon: 1}, function(r) { 
     
    15531556        } 
    15541557        function createNewService(s) { 
    1555             if (jQuery('*[selected]', s).text() != 'Create new service') { 
     1558            if (jQuery('#service')[0].value != 'newService') { 
    15561559                if (!jQuery('#override')[0].checked) { 
    1557                     jQuery('#time').val(timeArr[jQuery('*[selected]', s).attr('value')]).attr('disabled', 'disabled'); 
     1560                    jQuery('#time').val(timeArr[jQuery('#service')[0].value]).attr('disabled', 'disabled'); 
    15581561                } 
    15591562                return; 
     
    15611564            var s = 'lol'; 
    15621565            while ((s.indexOf('@') == -1) || (s.match(/(.*?)@(.*)/)[2].match(/[0-9]{1,2}:[0-9]{1,2}/) == null)) { 
    1563                 s = prompt("New service's name - default time?", "Service's name @ 18:00"); 
     1566                s = prompt("<?php _e("New service's name @ default time?", $sermon_domain)?>", "<?php _e("Service's name @ 18:00", $sermon_domain)?>"); 
    15641567                if (s == null) { break; } 
    15651568            } 
     
    15751578        } 
    15761579        function createNewSeries(s) { 
    1577             if (jQuery('*[selected]', s).text() != 'Create new series') return; 
    1578             var ss = prompt("New series' name?", "Series' name"); 
     1580            if (jQuery('#series')[0].value != 'newSeries') return; 
     1581            var ss = prompt("<?php _e("New series' name?", $sermon_domain)?>", "<?php _e("Series' name", $sermon_domain)?>"); 
    15791582            if (ss != null) { 
    15801583                jQuery.post('<?php echo $_SERVER['PHP_SELF']?>?page=sermon-browser/sermon.php', {ssname: ss, sermon: 1}, function(r) { 
     
    15971600        } 
    15981601        function syncBook(s) { 
    1599             var slc = jQuery('*[selected]', s).text(); 
     1602            if (jQuery('#endbook')[0].value != "") return; 
     1603            var slc = jQuery('#startbook')[0].value; 
    16001604            jQuery('.passage').each(function(i) { 
    16011605                if (this == jQuery(s).parents('.passage')[0]) { 
     
    16291633                jQuery('#time').removeClass('gray').attr('disabled', false); 
    16301634            } else { 
    1631                 jQuery('#time').addClass('gray').val(timeArr[jQuery('*[selected]', jQuery("select[name='service']")).attr('value')]).attr('disabled', 'disabled'); 
     1635                jQuery('#time').addClass('gray').val(timeArr[jQuery('#service')[0].value]).attr('disabled', 'disabled'); 
    16321636            } 
    16331637        } 
     
    17761780                            <tr> 
    17771781                                <td> 
    1778                                     <select name="start[book][]" onchange="syncBook(this)" class="start1"> 
     1782                                    <select id="startbook" name="start[book][]" onchange="syncBook(this)" class="start1"> 
    17791783                                        <option value=""></option> 
    17801784                                        <?php foreach ($books as $book): ?> 
     
    17921796                            <tr> 
    17931797                                <td> 
    1794                                     <select name="end[book][]" class="end"> 
     1798                                    <select id="endbook" name="end[book][]" class="end"> 
    17951799                                        <option value=""></option> 
    17961800                                        <?php foreach ($books as $book): ?> 
     
    18141818                        <table> 
    18151819                            <tr id="choosefile" class="choose"> 
    1816                                 <th> 
     1820                                <th scope="row" style="padding:3px 7px"> 
    18171821                                <select class="choosefile" name="choosefile" onchange="chooseType(this.name, this.value);"> 
    18181822                                <option value="filelist"><?php _e('Choose existing file:', $sermon_domain) ?></option> 
     
    19721976        <div style="width:45%;float:right;clear:right"> 
    19731977        <h2>Thank you</h2> 
    1974         <p>A number of individuals and churches have kindly <a href="http://www.4-14.org.uk/wordpress-plugins/sermon-browser#support">donated</a> to the development of Sermon Browser. Their support is very much appreciated.</p> 
     1978        <p>A number of individuals and churches have kindly <a href="http://www.4-14.org.uk/wordpress-plugins/sermon-browser#support">donated</a> to the development of Sermon Browser. Their support is very much appreciated. Since April 2011, all donations have been sent to <a href="<?php echo sb_get_admin_url(null, 'admin.php?page=sermon-browser/japan.php')?>">support the ministry of Nathanael and Anna Ayling</a> in Japan.</p> 
    19751979        <ul style="list-style-type:circle; margin-left: 2em"> 
    19761980            <li><a href="http://www.cambray.org/" target="_blank">Cambray Baptist Church</a>, UK</li> 
    1977             <li><a href="http://www.emw.org.uk/" target="_blank">Evangelical Movement of Wales</a>, UK</li> 
    19781981            <li><a href="http://www.bethel-clydach.co.uk/" target="_blank">Bethel Baptist Church</a>, Clydach, UK</li> 
    1979             <li><a href="http://BetterCommunication.org" target="_blank">BetterCommunication.org</a></li> 
     1982            <li><a href="http://www.bethel-laleston.co.uk/" target="_blank">Bethel Baptist Church</a>, Laleston, UK</li> 
     1983            <li><a href="http://www.hessonchurch.com/" target="_blank">Hesson Christian Fellowship</a>, Ontario, Canada</li> 
     1984            <li><a href="http://www.icvineyard.org/" target="_blank">Vineyard Community Church</a>, Iowa</li> 
     1985            <li><a href="http://www.cbcsd.us/" target="_blank">Chinese Bible Church of San Diego</a>, California</li> 
     1986            <li><a href="http://thecreekside.org/" target="_blank">Creekside Community Church</a>, Texas</li> 
     1987            <li><a href="http://stluke.info/" target="_blank">St. Luke Lutheran Church, Gales Ferry</a>, Connecticut</li> 
     1988            <li><a href="http://www.bunnbaptistchurch.org/" target="_blank">Bunn Baptist Church</a>, North Carolina</li> 
     1989            <li><a href="http://www.ccpconline.org" target="_blank">Christ Community Presbyterian Church</a>, Florida</li> 
     1990            <li><a href="http://www.harborhawaii.org" target="_blank">Harbor Church</a>, Hawaii</li> 
     1991            <li>Vicky H, UK</li> 
     1992            <li>Ben S, UK</li> 
     1993            <li>Tom W, UK</li> 
     1994            <li>Gavin D, UK</li> 
     1995            <li>Douglas C, UK</li> 
     1996            <li>David A, UK</li> 
     1997            <li>Thomas C, Canada</li> 
     1998            <li>Daniel J, Germany</li> 
     1999            <li>Hiromi O, Japan</li> 
     2000            <li>David C, Australia</li> 
     2001            <li>Lou B, Australia</li> 
    19802002            <li>Edward P, Delaware</li> 
    1981             <li><a href="http://www.cbcsd.us/" target="_blank">Chinese Bible Church of San Diego</a>, California</li> 
    19822003            <li>Steve J, Pensylvania</li> 
    19832004            <li>William H, Indiana</li> 
    1984             <li><a href="http://www.icvineyard.org/" target="_blank">Vineyard Community Church</a>, Iowa</li> 
    19852005            <li>Brandon E, New Jersey</li> 
    19862006            <li>Jamon A, Missouri</li> 
    1987             <li>Vicky H, UK</li> 
    19882007            <li>Chuck H, Tennessee</li> 
    1989             <li><a href="http://www.bethel-laleston.co.uk/" target="_blank">Bethel Baptist Church</a>, Laleston, UK</li> 
    1990             <li><a href="http://stluke.info/" target="_blank">St. Luke Lutheran Church, Gales Ferry</a>, Connecticut</li> 
    19912008            <li>David F, Maryland</li> 
    19922009            <li>Antony L, California</li> 
    19932010            <li>David W, Florida</li> 
    1994             <li>Daniel J, Germany</li> 
    19952011            <li>Fabio P, Connecticut</li> 
     2012            <li>Bill C, Georgia</li> 
     2013            <li>Scott J, Florida</li> 
     2014            <li><a href="http://www.emw.org.uk/" target="_blank">Evangelical Movement of Wales</a>, UK</li> 
     2015            <li><a href="http://BetterCommunication.org" target="_blank">BetterCommunication.org</a></li> 
     2016            <li>Home and Outdoor Living, Indiana</li> 
    19962017            <li><a href="http://design.ddandhservices.com/" target="_blank">DD&H Services</a>, British Columbia</li> 
     2018            <li><a href="http://www.dirtroadphotography.com" target="_blank">Dirt Road Photography</a>, Nebraska</li> 
     2019            <li><a href="http://www.hardeysolutions.com/" target="_blank">Hardey Solutions</a>, Houston</li> 
     2020            <li><a href="http://www.olivetreehost.com/" target="_blank">Olivetreehost.com</a></li> 
     2021            <li><a href="http://www.onQsites.com/" target="_blank">onQsites</a>, South Carolina</li> 
    19972022        </ul> 
    19982023        <p>Additional help was also received from:</p> 
     
    20002025            <li>James Hudson, Matthew Hiatt, Mark Bouchard (code contributions)</li> 
    20012026            <li>Juan Carlos and Marvin Ortega (Spanish translation)</li> 
     2027            <li><a href="http://www.fatcow.com/">FatCow</a> (Russian translation)</li> 
     2028            <li><a href="http://intercer.net/">Lucian Mihailescu</a> (Romanian translation)</li> 
     2029            <li>Monika Gause (German translation)</li> 
     2030            <li><a href="http://www.djio.com.br/sermonbrowser-em-portugues-brasileiro-pt_br/">DJIO</a> (Brazilian Portugese translation)</li> 
    20022031            <li>Numerous <a href="http://www.4-14.org.uk/forum/sermon-browser-support/">forum contributors</a> for feature suggestions and bug reports</li> 
    20032032        </ul> 
     
    20272056} 
    20282057 
     2058function sb_japan() { 
     2059sb_do_alerts(); 
     2060?> 
     2061    <div class="wrap"> 
     2062        <a href="http://www.4-14.org.uk/sermon-browser"><img src="<?php echo SB_PLUGIN_URL; ?>/sb-includes/logo-small.png" width="191" height ="35" style="margin: 1em 2em; float: right; background: #f9f9f9;" /></a> 
     2063        <h2 style=>Help support Christian ministry in Japan</h2> 
     2064        <div style="float:right;clear:both; width:208px; padding-left:20px"> 
     2065            <img src="http://www.bethel-clydach.co.uk/wp-content/uploads/2010/01/Nathanael-and-Anna-188x300.jpg" width="188" height="300" /> 
     2066        </div> 
     2067        <div style="width:533px; float:left"> 
     2068            <iframe src="http://player.vimeo.com/video/19995544?title=0&amp;byline=0&amp;portrait=0" width="533" height="300" frameborder="0"></iframe> 
     2069        </div> 
     2070        <div style="margin-left:553px;"> 
     2071            <p>Since April 2011, all gifts donated to Sermon Browser have been given to support the work of <a href="http://www.bethel-clydach.co.uk/about/mission-partners/nathanael-and-anna-ayling/">Nathanael and Anna Ayling</a> in Japan. 
     2072            Nathanael and Anna are members of a small church in the UK where the the author of Sermon Browser is a minister. Together with little Ethan, they have been in Japan since April 2010, and are based in Sappororo in the north, 
     2073            undergoing intensive language training so that by God's grace they can work alongside Japanese Christians to make disciples of Jesus among Japanese students. They are being cared for by <a href="http://www.omf.org/omf/japan/about_us">OMF International</a> (formerly known as the China Inland Mission, and founded by  
     2074            Hudson Taylor in 1865).</p> 
     2075            <p>If you value Sermon Browser, please consider supporting Nathanael and Anna. You can do this by:</p> 
     2076            <ul> 
     2077                <li><a href="http://ateamjapan.wordpress.com/">Looking at their blog</a>, and praying about their latest news.</li> 
     2078                <li><a href="http://www.omf.org/omf/uk/omf_at_work/pray_for_omf_workers">Signing up</a> to receiving their regular prayer news.</li> 
     2079                <li><form style="float:left" action="https://www.paypal.com/cgi-bin/webscr" method="post"><input name="cmd" type="hidden" value="_s-xclick" /><input name="hosted_button_id" type="hidden" value="9YTQKPQLGZ9TJ" /><input alt="PayPal - The safer, easier way to pay online." name="submit" src="https://www.paypal.com/en_GB/i/btn/btn_donate_SM.gif" type="image" /> <img src="https://www.paypal.com/en_GB/i/scr/pixel.gif" border="0" alt="" width="1" height="1" /></form> towards their ongoing support.</li> 
     2080            </ul> 
     2081        </div> 
     2082    </div> 
     2083<?php    
     2084} 
    20292085/*************************************** 
    2030  ** Supplementary functions        ** 
     2086 ** Supplementary functions           ** 
    20312087 **************************************/ 
    20322088 
     
    20782134        $output_string .= '<p class="youhave">'.__("You have")." "; 
    20792135        $output_string .= '<a href="'.get_bloginfo('wpurl').'/wp-admin/admin.php?page=sermon-browser/files.php">'; 
    2080         $output_string .= sprintf(_n('%d file', '%d files', $file_count), $file_count)."</a> "; 
     2136        $output_string .= sprintf(_n('%s file', '%s files', $file_count), number_format($file_count))."</a> "; 
    20812137        if ($sermon_count > 0) { 
    20822138            $output_string .= __("in")." ".'<a href="'.$_SERVER['PHP_SELF'].'?page=sermon-browser/sermon.php">'; 
    2083             $output_string .= sprintf(_n('%d sermon', '%d sermons', $sermon_count), $sermon_count)."</a> "; 
     2139            $output_string .= sprintf(_n('%s sermon', '%s sermons', $sermon_count), number_format($sermon_count))."</a> "; 
    20842140        } 
    20852141        if ($preacher_count > 0) { 
    20862142            $output_string .= __("from")." ".'<a href="'.get_bloginfo('wpurl').'/wp-admin/admin.php?page=sermon-browser/preachers.php">'; 
    2087             $output_string .= sprintf(_n('%d preacher', '%d preachers', $preacher_count), $preacher_count)."</a> "; 
     2143            $output_string .= sprintf(_n('%s preacher', '%s preachers', $preacher_count), number_format($preacher_count))."</a> "; 
    20882144        } 
    20892145        if ($series_count > 0) { 
    20902146            $output_string .= __("in")." ".'<a href="'.get_bloginfo('wpurl').'/wp-admin/admin.php?page=sermon-browser/manage.php">'; 
    2091             $output_string .= sprintf(__('%d series'), $series_count)."</a> "; 
     2147            $output_string .= sprintf(__('%s series'), number_format($series_count))."</a> "; 
    20922148        } 
    20932149        if ($tag_count > 0) 
    2094             $output_string .= __("using")." ".sprintf(_n('%d tag', '%d tags', $tag_count), $tag_count)." "; 
     2150            $output_string .= __("using")." ".sprintf(_n('%s tag', '%s tags', $tag_count), number_format($tag_count))." "; 
    20952151        if (substr($output_string, -1) == " ") 
    20962152            $output_string = substr($output_string, 0, -1); 
    20972153        if ($download_count > 0) 
    2098             $output_string .= ". ".sprintf(_n('Only one file has been downloaded', 'They have been downloaded a total of %d times', $download_count), $download_count); 
     2154            $output_string .= ". ".sprintf(_n('Only one file has been downloaded', 'They have been downloaded a total of %s times', $download_count), number_format($download_count)); 
    20992155        if ($download_count > 1) { 
    21002156            $output_string .= ", ".sprintf(_n('an average of once per sermon', 'an average of %d times per sermon', $download_average), $download_average); 
    2101             $most_popular_title = '<a href="'.get_bloginfo('wpurl').'/wp-admin/admin.php?page=sermon-browser/new_sermon.php&mid='.$most_popular->sermon_id.'">'.stripslashes($most_popular->title).'</a>'; 
    2102             $output_string .= ". ".sprintf(__('The most popular sermon is %s, which has been downloaded %s times'), $most_popular_title, $most_popular->c); 
     2157            $most_popular_title = '<a href="'.sb_display_url().sb_query_char(true).'sermon_id='.$most_popular->sermon_id.'">'.stripslashes($most_popular->title).'</a>'; 
     2158            $output_string .= ". ".sprintf(__('The most popular sermon is %s, which has been downloaded %s times'), $most_popular_title, number_format($most_popular->c)); 
    21032159        } 
    21042160        $output_string .= '.</p>'; 
     
    21262182            if ($file != "." && $file != ".." && !is_dir($dir.$file) && !in_array($file, $bnn)) { 
    21272183                $wpdb->query("INSERT INTO {$wpdb->prefix}sb_stuff VALUES (null, 'file', '$file', 0, 0, 0);"); 
    2128             } 
    2129         } 
    2130         closedir($dh); 
     2184               } 
     2185        } 
     2186           closedir($dh); 
    21312187    } 
    21322188} 
  • sermon-browser/trunk/sb-includes/ajax.php

    r378906 r379041  
    11<?php 
    22global $sermon_domain; 
     3define ('SB_AJAX', true); 
    34 
    45// Throughout this plugin, p stands for preacher, s stands for service and ss stands for series 
     
    137138            <td><?php echo sb_sermon_stats($sermon->id) ?></td> 
    138139            <td style="text-align:center"> 
    139                 <a href="<?php echo $_SERVER['PHP_SELF']?>?page=sermon-browser/new_sermon.php&mid=<?php echo $sermon->id ?>"><?php _e('Edit', $sermon_domain) ?></a> | <a onclick="return confirm('Are you sure?')" href="<?php echo $_SERVER['PHP_SELF']?>?page=sermon-browser/sermon.php&mid=<?php echo $sermon->id ?>"><?php _e('Delete', $sermon_domain) ?></a> 
     140                <?php //Security check 
     141                        if (current_user_can('edit_posts')) { ?> 
     142                        <a href="<?php echo $_SERVER['PHP_SELF']?>?page=sermon-browser/new_sermon.php&mid=<?php echo $sermon->id ?>"><?php _e('Edit', $sermon_domain) ?></a> | <a onclick="return confirm('Are you sure?')" href="<?php echo $_SERVER['PHP_SELF']?>?page=sermon-browser/sermon.php&mid=<?php echo $sermon->id ?>"><?php _e('Delete', $sermon_domain); ?></a> | 
     143                <?php } ?> 
     144                <a href="<?php echo sb_display_url().sb_query_char(true).'sermon_id='.$sermon->id;?>">View</a> 
    140145            </td> 
    141146        </tr> 
  • sermon-browser/trunk/sb-includes/dictionary.php

    r378906 r379041  
    7171        '[synodaltext]' => '<?php for ($i = 0; $i < count($sermon["Sermon"]->start); $i++): echo sb_add_bible_text ($sermon["Sermon"]->start[$i], $sermon["Sermon"]->end[$i], "synodal"); endfor ?>', 
    7272        '[biblepassage]' => '<?php for ($i = 0; $i < count($sermon["Sermon"]->start); $i++): sb_print_bible_passage ($sermon["Sermon"]->start[$i], $sermon["Sermon"]->end[$i]); endfor ?>', 
    73         '[editlink]' => '<?php sb_edit_link($_GET["sermon_id"]) ?>', 
     73        '[editlink]' => '<?php sb_edit_link((int)$_GET["sermon_id"]) ?>', 
    7474        '[creditlink]' => '<div id="poweredbysermonbrowser">Powered by <a href="http://www.4-14.org.uk/sermon-browser">Sermon Browser</a></div>', 
    7575    ); 
  • sermon-browser/trunk/sb-includes/frontend.php

    r378906 r379041  
    114114} 
    115115 
     116function sb_admin_bar_menu () { 
     117    global $wp_admin_bar, $sermon_domain; 
     118    if (!current_user_can('edit_posts') || !class_exists('WP_Admin_Bar')) 
     119        return; 
     120    if (isset($_GET['sermon_id']) && (int)$_GET['sermon_id'] != 0 && current_user_can('publish_pages')) { 
     121        $wp_admin_bar->add_menu(array('id' => 'sermon-browser-menu', 'title' => __('Edit Sermon', $sermon_domain), 'href' => sb_get_admin_url(null, 'admin.php?page=sermon-browser/new_sermon.php&mid='.(int)$_GET['sermon_id']))); 
     122        $wp_admin_bar->add_menu(array('parent' => 'sermon-browser-menu', 'id' => 'sermon-browser-sermons', 'title' => __('List Sermons', $sermon_domain), 'href' => sb_get_admin_url(null, 'admin.php?page=sermon-browser/sermon.php'))); 
     123    } else 
     124        $wp_admin_bar->add_menu(array('id' => 'sermon-browser-menu', 'title' => __('Sermons', $sermon_domain), 'href' => sb_get_admin_url(null, 'admin.php?page=sermon-browser/sermon.php'))); 
     125    if (current_user_can('publish_pages')) 
     126        $wp_admin_bar->add_menu(array('parent' => 'sermon-browser-menu', 'id' => 'sermon-browser-add', 'title' => __('Add Sermon', $sermon_domain), 'href' => sb_get_admin_url(null, 'admin.php?page=sermon-browser/new_sermon.php'))); 
     127    if (current_user_can('upload_files')) 
     128        $wp_admin_bar->add_menu(array('parent' => 'sermon-browser-menu', 'id' => 'sermon-browser-files', 'title' => __('Files', $sermon_domain), 'href' => sb_get_admin_url(null, 'admin.php?page=sermon-browser/files.php'))); 
     129    if (current_user_can('manage_categories')) { 
     130        $wp_admin_bar->add_menu(array('parent' => 'sermon-browser-menu', 'id' => 'sermon-browser-preachers', 'title' => __('Preachers', $sermon_domain), 'href' => sb_get_admin_url(null, 'admin.php?page=sermon-browser/preachers.php'))); 
     131        $wp_admin_bar->add_menu(array('parent' => 'sermon-browser-menu', 'id' => 'sermon-browser-series', 'title' => __('Series &amp; Services', $sermon_domain), 'href' => sb_get_admin_url(null, 'admin.php?page=sermon-browser/manage.php'))); 
     132    } 
     133    if (current_user_can('manage_options')) { 
     134        $wp_admin_bar->add_menu(array('parent' => 'sermon-browser-menu', 'id' => 'sermon-browser-options', 'title' => __('Options', $sermon_domain), 'href' => sb_get_admin_url(null, 'admin.php?page=sermon-browser/options.php'))); 
     135        $wp_admin_bar->add_menu(array('parent' => 'sermon-browser-menu', 'id' => 'sermon-browser-series', 'title' => __('Templates', $sermon_domain), 'href' => sb_get_admin_url(null, 'admin.php?page=sermon-browser/templates.php'))); 
     136    } 
     137    if (current_user_can('edit_plugins')) 
     138        $wp_admin_bar->add_menu(array('parent' => 'sermon-browser-menu', 'id' => 'sermon-browser-uninstall', 'title' => __('Uninstall', $sermon_domain), 'href' => sb_get_admin_url(null, 'admin.php?page=sermon-browser/uninstall.php'))); 
     139    $wp_admin_bar->add_menu(array('parent' => 'sermon-browser-menu', 'id' => 'sermon-browser-help', 'title' => __('Help', $sermon_domain), 'href' => sb_get_admin_url(null, 'admin.php?page=sermon-browser/help.php'))); 
     140    $wp_admin_bar->add_menu(array('parent' => 'sermon-browser-menu', 'id' => 'sermon-browser-japan', 'title' => __('Pray for Japan', $sermon_domain), 'href' => sb_get_admin_url(null, 'admin.php?page=sermon-browser/japan.php'))); 
     141} 
     142 
    116143// Sorts an object by rank 
    117144function sb_sort_object($a,$b) { 
     
    138165        $sermons = $wpdb->get_results("SELECT sermons.id, sermons.title, sum(stuff.count) AS total 
    139166                                       FROM {$wpdb->prefix}sb_stuff AS stuff 
    140                                        LEFT JOIN wp_sb_sermons AS sermons ON stuff.sermon_id = sermons.id 
     167                                       LEFT JOIN {$wpdb->prefix}sb_sermons AS sermons ON stuff.sermon_id = sermons.id 
    141168                                       GROUP BY sermons.id ORDER BY total DESC LIMIT 0, {$options['limit']}"); 
    142169        if ($sermons) { 
     
    385412    // and insert the name of your key in place of the letters IP in the URL 
    386413    // below (.e.g. ...passageQuery?key=YOURAPIKEY&passage=...) 
    387     $esv_url = 'http://www.esvapi.org/v2/rest/passageQuery?key=IP&passage='.urlencode(sb_tidy_reference ($start, $end)).'&include-headings=false&include-footnotes=false'; 
     414    $esv_url = 'http://www.esvapi.org/v2/rest/passageQuery?key=IP&passage='.rawurlencode(sb_tidy_reference ($start, $end)).'&include-headings=false&include-footnotes=false'; 
    388415    return sb_download_page ($esv_url); 
    389416} 
     
    459486//Adds edit sermon link if current user has edit rights 
    460487function sb_edit_link ($id) { 
    461     if (current_user_can('edit_posts')) { 
     488    if (current_user_can('publish_posts')) { 
    462489        $id = (int)$id; 
    463490        echo '<div class="sb_edit_link"><a href="'.get_bloginfo('wpurl').'/wp-admin/admin.php?page=sermon-browser/new_sermon.php&mid='.$id.'">Edit Sermon</a></div>'; 
     
    473500    foreach ($foo as $k => $v) { 
    474501        if (in_array($k, array_keys($arr)) | (in_array($k, $wl) && !$clear)) { 
    475             $bar[] = "$k=$v"; 
     502            $bar[] = rawurlencode($k).'='.rawurlencode($v); 
    476503        } 
    477504    } 
     
    525552// Returns podcast URL 
    526553function sb_podcast_url() { 
    527     return str_replace(' ', '%20', sb_build_url(array('podcast' => 1, 'dir'=>'desc', 'sortby'=>'m.datetime'), true)); 
     554    return str_replace(' ', '%20', sb_build_url(array('podcast' => 1, 'dir'=>'desc', 'sortby'=>'m.datetime'))); 
    528555} 
    529556 
     
    564591function sb_print_tags($tags) { 
    565592    $out = array(); 
    566     foreach ((array) $tags as $tag) 
     593    foreach ((array) $tags as $tag) { 
     594        $tag = stripslashes($tag); 
    567595        $out[] = '<a href="'.sb_get_tag_link($tag).'">'.$tag.'</a>'; 
     596    } 
    568597    $tags = implode(', ', (array) $out); 
    569598    echo $tags; 
     
    628657    $ext = $pathinfo['extension']; 
    629658    if (substr($url,0,7) == "http://") { 
    630         $url=sb_display_url().sb_query_char(FALSE).'show&url='.URLencode($url); 
     659        $url=sb_display_url().sb_query_char(FALSE).'show&url='.rawurlencode($url); 
    631660    } else { 
    632661        if (strtolower($ext) == 'mp3' && function_exists('ap_insert_player_widgets')) { 
    633             $url=sb_display_url().sb_query_char(FALSE).'show&file_name='.URLencode($url); 
     662            $url=sb_display_url().sb_query_char(FALSE).'show&file_name='.rawurlencode($url); 
    634663        } else { 
    635             $url=sb_display_url().sb_query_char(FALSE).'download&file_name='.URLencode($url); 
     664            $url=sb_display_url().sb_query_char(FALSE).'download&file_name='.rawurlencode($url); 
    636665        } 
    637666    }   $icon_url = SB_PLUGIN_URL.'/sb-includes/icons/'; 
     
    661690        else { 
    662691            $param="file_name"; } 
    663         $url = URLencode($url); 
     692        $url = rawurlencode($url); 
    664693        echo ' <a href="'.sb_display_url().sb_query_char().'download&amp;'.$param.'='.$url.'">Download</a>'; 
    665694    } 
     
    684713function sb_print_preacher_image($sermon) { 
    685714    if ($sermon->image) 
    686         echo "<img alt='".stripslashes($sermon->preacher)."' class='preacher' src='".get_bloginfo('wpurl').sb_get_option('upload_dir').'images/'.$sermon->image."'>"; 
     715        echo "<img alt='".stripslashes($sermon->preacher)."' class='preacher' src='".trailingslashit(get_bloginfo('wpurl')).sb_get_option('upload_dir').'images/'.$sermon->image."'>"; 
    687716} 
    688717 
     
    727756    $sermon = $wpdb->get_row("SELECT m.id, m.title, m.datetime, m.start, m.end, m.description, p.id as pid, p.name as preacher, p.image as image, p.description as preacher_description, s.id as sid, s.name as service, ss.id as ssid, ss.name as series FROM {$wpdb->prefix}sb_sermons as m, {$wpdb->prefix}sb_preachers as p, {$wpdb->prefix}sb_services as s, {$wpdb->prefix}sb_series as ss where m.preacher_id = p.id and m.service_id = s.id and m.series_id = ss.id and m.id = {$id}"); 
    728757    if ($sermon) { 
     758        $file = $code = $tags = array(); 
    729759        $stuff = $wpdb->get_results("SELECT f.id, f.type, f.name FROM {$wpdb->prefix}sb_stuff as f WHERE sermon_id = $id ORDER BY id desc"); 
    730760        $rawtags = $wpdb->get_results("SELECT t.name FROM {$wpdb->prefix}sb_sermons_tags as st LEFT JOIN {$wpdb->prefix}sb_tags as t ON st.tag_id = t.id WHERE st.sermon_id = {$sermon->id} ORDER BY t.name asc"); 
     
    732762            $tags[] = $tag->name; 
    733763        } 
    734         $file = $code = $tags = array(); 
    735764        foreach ($stuff as $cur) 
    736765            ${$cur->type}[] = $cur->name; 
     
    886915        $series = $wpdb->get_results("SELECT ss.*, count(ss.id) AS count FROM {$wpdb->prefix}sb_series AS ss JOIN {$wpdb->prefix}sb_sermons AS sermons ON ss.id = sermons.series_id  WHERE sermons.id IN {$ids} GROUP BY ss.id ORDER BY sermons.datetime DESC"); 
    887916        $services = $wpdb->get_results("SELECT s.*, count(s.id) AS count FROM {$wpdb->prefix}sb_services AS s JOIN {$wpdb->prefix}sb_sermons AS sermons ON s.id = sermons.service_id  WHERE sermons.id IN {$ids} GROUP BY s.id ORDER BY count DESC"); 
    888         $book_count = $wpdb->get_results("SELECT bs.book_name AS name, count(b.id) AS count FROM {$wpdb->prefix}sb_books_sermons AS bs JOIN {$wpdb->prefix}sb_books as b ON bs.book_name=b.name WHERE bs.type = 'start' AND bs.sermon_id IN {$ids} GROUP BY b.id"); 
     917        $book_count = $wpdb->get_results("SELECT bs.book_name AS name, count(distinct bs.sermon_id) AS count FROM {$wpdb->prefix}sb_books_sermons AS bs JOIN {$wpdb->prefix}sb_books as b ON bs.book_name=b.name AND bs.sermon_id IN {$ids} GROUP BY b.id"); 
    889918        $dates = $wpdb->get_results("SELECT YEAR(datetime) as year, MONTH (datetime) as month, DAY(datetime) as day FROM {$wpdb->prefix}sb_sermons WHERE id IN {$ids} ORDER BY datetime ASC"); 
    890919 
    891920        $more_applied = array(); 
    892921        $output = str_replace ('*preacher*', isset($preachers[0]->name) ? $preachers[0]->name : '', $output); 
    893         $output = str_replace ('*book*', isset($book_count[0]->name) ? $book_count[0]->name : '', $output); 
     922        $output = str_replace ('*book*', isset($_REQUEST['book']) ? htmlentities($_REQUEST['book']) : '', $output); 
    894923        $output = str_replace ('*service*', isset($services[0]->name) ? $services[0]->name : '', $output); 
    895924        $output = str_replace ('*series*', isset($series[0]->name) ? $series[0]->name : '', $output); 
     
    935964        $series = $wpdb->get_results("SELECT ss.*, count(ss.id) AS count FROM {$wpdb->prefix}sb_series AS ss JOIN {$wpdb->prefix}sb_sermons AS sermons ON ss.id = sermons.series_id GROUP BY ss.id ORDER BY sermons.datetime DESC"); 
    936965        $services = $wpdb->get_results("SELECT s.*, count(s.id) AS count FROM {$wpdb->prefix}sb_services AS s JOIN {$wpdb->prefix}sb_sermons AS sermons ON s.id = sermons.service_id GROUP BY s.id ORDER BY count DESC"); 
    937         $book_count = $wpdb->get_results("SELECT bs.book_name AS name, count( b.id ) AS count FROM {$wpdb->prefix}sb_books_sermons AS bs JOIN {$wpdb->prefix}sb_books AS b ON bs.book_name = b.name WHERE bs.type = 'start' GROUP BY b.id"); 
     966        $book_count = $wpdb->get_results("SELECT bs.book_name AS name, count(distinct bs.sermon_id) AS count FROM {$wpdb->prefix}sb_books_sermons AS bs JOIN {$wpdb->prefix}sb_books AS b ON bs.book_name = b.name GROUP BY b.id"); 
    938967        $sb = array( 
    939968            'Title' => 'm.title', 
     
    9831012                            <td class="fieldname rightcolumn"><?php _e('Series', $sermon_domain) ?></td> 
    9841013                            <td class="field"><select name="series" id="series"> 
    985                                     <option value="0" <?php echo $_REQUEST['series'] != 0 ? '' : 'selected="selected"' ?>><?php _e('[All]', $sermon_domain) ?></option> 
     1014                                    <option value="0" <?php echo (isset($_REQUEST['series']) && $_REQUEST['series'] != 0) ? '' : 'selected="selected"' ?>><?php _e('[All]', $sermon_domain) ?></option> 
    9861015                                    <?php foreach ($series as $item): ?> 
    9871016                                    <option value="<?php echo $item->id ?>" <?php echo isset($_REQUEST['series']) && $_REQUEST['series'] == $item->id ? 'selected="selected"' : '' ?>><?php echo stripslashes($item->name).' ('.$item->count.')' ?></option> 
     
    9921021                        <tr> 
    9931022                            <td class="fieldname"><?php _e('Start date', $sermon_domain) ?></td> 
    994                             <td class="field"><input type="text" name="date" id="date" value="<?php echo mysql_real_escape_string($_REQUEST['date']) ?>" /></td> 
     1023                            <td class="field"><input type="text" name="date" id="date" value="<?php echo isset($_REQUEST['date']) ? mysql_real_escape_string($_REQUEST['date']) : '' ?>" /></td> 
    9951024                            <td class="fieldname rightcolumn"><?php _e('End date', $sermon_domain) ?></td> 
    996                             <td class="field"><input type="text" name="enddate" id="enddate" value="<?php echo mysql_real_escape_string($_REQUEST['enddate']) ?>" /></td> 
     1025                            <td class="field"><input type="text" name="enddate" id="enddate" value="<?php echo isset($_REQUEST['enddate']) ? mysql_real_escape_string($_REQUEST['enddate']) : '' ?>" /></td> 
    9971026                        </tr> 
    9981027                        <tr> 
    9991028                            <td class="fieldname"><?php _e('Keywords', $sermon_domain) ?></td> 
    1000                             <td class="field" colspan="3"><input style="width: 98.5%" type="text" id="title" name="title" value="<?php echo mysql_real_escape_string($_REQUEST['title']) ?>" /></td> 
     1029                            <td class="field" colspan="3"><input style="width: 98.5%" type="text" id="title" name="title" value="<?php echo isset($_REQUEST['title']) ? mysql_real_escape_string($_REQUEST['title']) : '' ?>" /></td> 
    10011030                        </tr> 
    10021031                        <tr> 
     
    10501079            if (substr($file,0,7) == "http://") { 
    10511080                if ($stats) 
    1052                     $file=sb_display_url().sb_query_char().'show&amp;url='.URLencode($file); 
     1081                    $file=sb_display_url().sb_query_char().'show&amp;url='.rawurlencode($file); 
    10531082            } else { 
    10541083                if (!$stats) 
    1055                     $file=get_bloginfo('wpurl').sb_get_option('upload_dir').URLencode($file); 
     1084                    $file=get_bloginfo('wpurl').sb_get_option('upload_dir').rawurlencode($file); 
    10561085                else 
    1057                     $file=sb_display_url().sb_query_char().'show&amp;file_name='.URLencode($file); 
     1086                    $file=sb_display_url().sb_query_char().'show&amp;file_name='.rawurlencode($file); 
    10581087            } 
    10591088            return $file; 
     
    10631092} 
    10641093 
    1065 // Displays the mini flash mp3 player (only if audio player is installed) 
     1094//Gets colour for mini-flash player from the options of another flash player plugin. 
     1095function sb_get_flash_player_colour ($type) { 
     1096    if ($type == 'foreground') { 
     1097        //AudioPlayer v2 
     1098        $options = get_option('AudioPlayer_options'); 
     1099        if ($options) 
     1100            return $options['colorScheme']['rightbg']; 
     1101        //AudioPlayer v1 
     1102        $options = get_option('audio_player_rightbgcolor'); 
     1103        if ($options) 
     1104            return str_replace('0x', '', $options); 
     1105        //Default 
     1106        return '000000'; 
     1107    } elseif ($type == 'background') { 
     1108        //AudioPlayer v2 
     1109        $options = get_option('AudioPlayer_options'); 
     1110        if ($options) 
     1111            if ($options['colorScheme']['transparentpagebg'] == 'true') 
     1112                return 'transparent'; 
     1113            else 
     1114                return $options['colorScheme']['rightbg']; 
     1115        //AudioPlayer v1 
     1116        $options = get_option('audio_player_transparentpagebgcolor'); 
     1117        if ($options) 
     1118            return 'transparent'; 
     1119        else 
     1120            return str_replace('0x', '', get_option('audio_player_pagebgcolor')); 
     1121 
     1122    } 
     1123} 
     1124 
     1125// Displays the mini flash mp3 player 
    10661126function sb_display_mini_player ($sermon, $id=1, $flashvars="") { 
    10671127    $filename = sb_first_mp3($sermon, FALSE); 
    10681128    if ($filename !="") { 
    1069         $ap2_options = get_option('AudioPlayer_options'); 
    1070         if ($ap2_options != '') { 
    1071             $color = '#'.$ap2_options['colorScheme']['rightbg']; 
    1072         } else 
    1073             $color = str_replace("0x", "#", get_option("audio_player_rightbgcolor")); 
    1074         $flashvars .= "&foreColor=".$color; 
     1129        $flashvars .= "&foreColor=#".sb_get_flash_player_colour ('foreground'); 
    10751130        $flashvars .= "&filename=".$filename; 
    10761131        if (substr($flashvars, 0, 1) == "&") 
    10771132            $flashvars = substr($flashvars, 1); 
    10781133        echo " <span class=\"sermon-player\"><embed id=\"oneBitInsert_{$id}\" width=\"10\" height=\"10\""; 
    1079         if (get_option('audio_player_transparentpagebgcolor')=="true") 
     1134        if (sb_get_flash_player_colour ('background') == 'transparent') 
    10801135            echo " wmode=\"transparent\""; 
    10811136        else 
    1082             echo " bgcolor=\"".get_option('audio_player_pagebgcolor')."\""; 
     1137            echo " bgcolor=\"0x".sb_get_flash_player_colour ('background')."\""; 
    10831138        echo " quality=\"high\""; 
    10841139        echo " flashvars=\"".$flashvars."\""; 
     
    10871142    } 
    10881143} 
    1089  
    10901144?> 
  • sermon-browser/trunk/sb-includes/podcast.php

    r378906 r379041  
    5959    if ($media_type == 'URLs') { 
    6060        if ($stats) 
    61             $media_name=sb_display_url().sb_query_char().'show&amp;url='.URLencode($media_name); 
     61            $media_name=sb_display_url().sb_query_char().'show&amp;url='.rawurlencode($media_name); 
    6262    } else { 
    6363        if (!$stats) 
    64             $media_name=get_bloginfo('wpurl').sb_get_option('upload_dir').URLencode($media_name); 
     64            $media_name=get_bloginfo('wpurl').sb_get_option('upload_dir').rawurlencode($media_name); 
    6565        else 
    66             $media_name=sb_display_url().sb_query_char().'show&amp;file_name='.URLencode($media_name); 
     66            $media_name=sb_display_url().sb_query_char().'show&amp;file_name='.rawurlencode($media_name); 
    6767    } 
    6868    return sb_xml_entity_encode($media_name); 
     
    7979$sermons = sb_get_sermons( 
    8080    array( 
    81         'title' => isset($_REQUEST['title']) ? $_REQUEST['title'] : '', 
     81        'title' => isset($_REQUEST['title']) ? stripslashes($_REQUEST['title']) : '', 
    8282        'preacher' => isset($_REQUEST['preacher']) ? $_REQUEST['preacher'] : '', 
    8383        'date' => isset($_REQUEST['date']) ? $_REQUEST['date'] : '', 
     
    8585        'series' => isset($_REQUEST['series']) ? $_REQUEST['series'] : '', 
    8686        'service' => isset($_REQUEST['service']) ? $_REQUEST['service'] : '', 
    87         'book' => isset($_REQUEST['book']) ? $_REQUEST['book'] : '', 
    88         'tag' => isset($_REQUEST['stag']) ? $_REQUEST['stag'] : '', 
     87        'book' => isset($_REQUEST['book']) ? stripslashes($_REQUEST['book']) : '', 
     88        'tag' => isset($_REQUEST['stag']) ? stripslashes($_REQUEST['stag']) : '', 
    8989    ), 
    9090    array( 
  • sermon-browser/trunk/sb-includes/readme.txt

    r377568 r379041  
    44Tags: sermons, podcast, mp3, church, bible, audio, widget, embed, video, esv, wpmu, preach, iTunes, preacher, listen 
    55Requires at least: 2.6 
    6 Tested up to: 3.0.6 
     6Tested up to: 3.1.2 
    77Stable tag: trunk 
    88 
     
    23239. Powerful **templating function** allows complete customisation to complement the look of your site. 
    242410. Simple statistics show how often each sermon has been listened to. 
    25 11. Support for [Wordpress MU](http://mu.wordpress.org/) (WPMU). 
     2511. Support for [Wordpress MU](http://mu.wordpress.org/) (WPMU). Wordpress multi-user support is coming soon! 
    262612. Extensive **help** and [tutorial screencasts](http://www.4-14.org.uk/wordpress-plugins/sermon-browser#tutorial). 
    27 13. English, Spanish, Romanian and Russian translations included. 
     2713. English, German, Portugese Brazilian, Romanian, Russian and Spanish translations included. 
    2828 
    2929== Installation == 
     
    5858If you want to customise how Sermon Browser appears throughout your site, use [Template tags](http://www.4-14.org.uk/wordpress-plugins/sermon-browser/template-tags). 
    5959 
     60== Upgrade Notice == 
     61 
     62= 0.44 = 
     63Fixes several bugs (including an important security fix), and adds support for the admin bar in WordPress 3.1 
     64 
     65= 0.43.5 = 
     66Important security fixes. All users should upgrade to this version. 
     67 
    6068== Changelog == 
     69 
     70= 0.44 (30 April 2011) = 
     71* **New feature:** Sermon Browser added to the new menu bar in Wordpress 3.1 and above. 
     72* **New feature:** Added support for Brazilian Portuguese and German (thanks to [DJIO](http://www.djio.com.br/sermonbrowser-em-portugues-brasileiro-pt_br/) and Monika Gause). 
     73* **Compatibility:** Now fully compatible with Wordpress 2.6 - 3.1. ([link](http://www.4-14.org.uk/forum/sermon-browser-support/cant-add-new-preacherseriesservice-in-add-sermon-page-w-wp-3-1/)) 
     74* **Enhancement:** [sermons] shortcode now supports the 'limit' and 'dir' parameters (thanks to [liggit](http://www.4-14.org.uk/forum/sermon-browser-support/patches-to-add-support-for-limit-and-dir-shortcode-attrs)) 
     75* **Bug fix:** More security fixes. 
     76* **Bug fix:** Custom podcasts are now working again ([link](http://www.4-14.org.uk/forum/sermon-browser-support/custom-podcast-link-no-longer-working)) 
     77* **Bug fix:** Fixed SQL_BIG_SELECTS issue on some hosts which could result in blank podcasts and sermons pages ([link](http://www.4-14.org.uk/forum/sermon-browser-support/can-only-ad-finite-sermons-till-plugin-breaks)) 
     78* **Bug fix:** Tags are now displaying correctly on sermons page 
     79* **Bug fix:** Slashes no longer appear in some saved text. 
     80* **Bug fix:** Sermon widget now works for users who have changed their database prefix ([link](http://www.4-14.org.uk/forum/sermon-browser-support/finish-previous-bug-fix)) 
     81* **Bug fix:** Text on javascript pop-ups is now ready for translation 
     82* **Bug fix:** Edit links on the main sermons page are no longer missing after the first page 
     83* **Bug fix:** Missing slash meant preacher image was not displaying for some people 
     84* **Bug fix:** Book counts now accurate even when more than one passage is applied to a sermon 
     85* **Bug fix:** Mini-flash player now inherits the colour of both Audio Player v1, and v2 
     86* **Bug fix:** Filenames with spaces are now encoded in an iTunes compatible way ([link](http://www.4-14.org.uk/forum/sermon-browser-support/patches-to-add-support-for-limit-and-dir-shortcode-attrs/#p1231)) 
     87* **Bug fix:** Sermon filter now always correctly displays which Bible book is being filtered on ([link](http://www.4-14.org.uk/forum/sermon-browser-support/important-info-about-the-future-of-sermon-browser/#p2849)) 
     88 
    6189 
    6290= 0.43.6 (26 April 2011) = 
  • sermon-browser/trunk/sb-includes/sb-install.php

    r378906 r379041  
    2424 
    2525    $table_name = "{$wpdb->prefix}sb_series"; 
    26     if ($wpdb->get_var("SHOW TABLES LIKE '{$table_name}'") != $table_name) {     
     26    if ($wpdb->get_var("SHOW TABLES LIKE '{$table_name}'") != $table_name) { 
    2727        $sql = "CREATE TABLE {$table_name} ( 
    2828            id INT(10) NOT NULL AUTO_INCREMENT, 
     
    3737 
    3838    $table_name = "{$wpdb->prefix}sb_services"; 
    39     if ($wpdb->get_var("SHOW TABLES LIKE '{$table_name}'") != $table_name) {     
     39    if ($wpdb->get_var("SHOW TABLES LIKE '{$table_name}'") != $table_name) { 
    4040        $sql = "CREATE TABLE {$table_name} ( 
    4141            id INT(10) NOT NULL AUTO_INCREMENT, 
     
    5252 
    5353    $table_name = "{$wpdb->prefix}sb_sermons"; 
    54     if ($wpdb->get_var("SHOW TABLES LIKE '{$table_name}'") != $table_name) {     
     54    if ($wpdb->get_var("SHOW TABLES LIKE '{$table_name}'") != $table_name) { 
    5555        $sql = "CREATE TABLE {$table_name} ( 
    5656            id INT(10) NOT NULL AUTO_INCREMENT, 
     
    7272 
    7373    $table_name = "{$wpdb->prefix}sb_books_sermons"; 
    74     if ($wpdb->get_var("SHOW TABLES LIKE '{$table_name}'") != $table_name) {     
     74    if ($wpdb->get_var("SHOW TABLES LIKE '{$table_name}'") != $table_name) { 
    7575        $sql = "CREATE TABLE {$table_name} ( 
    7676            id INT(10) NOT NULL AUTO_INCREMENT, 
     
    8888 
    8989    $table_name = "{$wpdb->prefix}sb_books"; 
    90     if ($wpdb->get_var("SHOW TABLES LIKE '{$table_name}'") != $table_name) {     
     90    if ($wpdb->get_var("SHOW TABLES LIKE '{$table_name}'") != $table_name) { 
    9191        $sql = "CREATE TABLE {$table_name} ( 
    9292            id INT(10) NOT NULL AUTO_INCREMENT, 
     
    9898 
    9999    $table_name = "{$wpdb->prefix}sb_stuff"; 
    100     if ($wpdb->get_var("SHOW TABLES LIKE '{$table_name}'") != $table_name) {     
     100    if ($wpdb->get_var("SHOW TABLES LIKE '{$table_name}'") != $table_name) { 
    101101        $sql = "CREATE TABLE {$table_name} ( 
    102102            id INT(10) NOT NULL AUTO_INCREMENT , 
     
    112112 
    113113    $table_name = "{$wpdb->prefix}sb_tags"; 
    114     if ($wpdb->get_var("SHOW TABLES LIKE '{$table_name}'") != $table_name) {     
     114    if ($wpdb->get_var("SHOW TABLES LIKE '{$table_name}'") != $table_name) { 
    115115        $sql = "CREATE TABLE {$table_name} ( 
    116116            id int(10) NOT NULL auto_increment, 
     
    123123 
    124124    $table_name = "{$wpdb->prefix}sb_sermons_tags"; 
    125     if ($wpdb->get_var("SHOW TABLES LIKE '{$table_name}'") != $table_name) {     
     125    if ($wpdb->get_var("SHOW TABLES LIKE '{$table_name}'") != $table_name) { 
    126126        $sql = "CREATE TABLE {$table_name} ( 
    127127            id INT(10) NOT NULL AUTO_INCREMENT, 
  • sermon-browser/trunk/sb-includes/widget.php

    r378906 r379041  
    9797            if (substr($file,0,7) == "http://") { 
    9898                if ($stats) 
    99                     $file=sb_display_url().sb_query_char().'show&amp;url='.URLencode($file); 
     99                    $file=sb_display_url().sb_query_char().'show&amp;url='.rawurlencode($file); 
    100100            } else { 
    101101                if (!$stats) 
    102                     $file=sb_get_value('wordpress_url').get_option('sb_sermon_upload_dir').URLencode($file); 
     102                    $file=sb_get_value('wordpress_url').get_option('sb_sermon_upload_dir').rawurlencode($file); 
    103103                else 
    104                     $file=sb_display_url().sb_query_char().'show&amp;file_name='.URLencode($file); 
     104                    $file=sb_display_url().sb_query_char().'show&amp;file_name='.rawurlencode($file); 
    105105            } 
    106106            return $file; 
  • sermon-browser/trunk/sermon.php

    r378906 r379041  
    55Description: Add sermons to your Wordpress blog. Thanks to <a href="http://codeandmore.com/">Tien Do Xuan</a> for initial coding. 
    66Author: Mark Barnes 
    7 Version: 0.43.6 
     7Version: 0.44 
    88Author URI: http://www.4-14.org.uk/ 
    99 
    10 Copyright (c) 2008-2009 Mark Barnes 
     10Copyright (c) 2008-2011 Mark Barnes 
    1111 
    1212This program is free software: you can redistribute it and/or modify 
     
    5454* @package common_functions 
    5555*/ 
    56 define('SB_CURRENT_VERSION', '0.43.6'); 
     56define('SB_CURRENT_VERSION', '0.43.7'); 
    5757define('SB_DATABASE_VERSION', '1.6'); 
    5858add_action ('plugins_loaded', 'sb_hijack'); 
     
    8484    //Forces sermon download of local file 
    8585    if (isset($_GET['download']) AND isset($_GET['file_name'])) { 
    86         $file_name = $wpdb->escape(urldecode($_GET['file_name'])); 
     86        $file_name = $wpdb->escape(rawurldecode($_GET['file_name'])); 
    8787        $file_name = $wpdb->get_var("SELECT name FROM {$wpdb->prefix}sb_stuff WHERE name='{$file_name}'"); 
    8888        if (!is_null($file_name)) { 
     
    103103            die(); 
    104104        } else 
    105             wp_die(htmlentities(urldecode($_GET['file_name'])).' '.__('not found', $sermon_domain), __('File not found', $sermon_domain), array('response' => 404)); 
     105            wp_die(htmlentities(rawurldecode($_GET['file_name'])).' '.__('not found', $sermon_domain), __('File not found', $sermon_domain), array('response' => 404)); 
    106106    } 
    107107 
    108108    //Forces sermon download of external URL 
    109109    if (isset($_REQUEST['download']) AND isset($_REQUEST['url'])) { 
    110         $url = urldecode($_GET['url']); 
     110        $url = rawurldecode($_GET['url']); 
    111111        if(ini_get('allow_url_fopen')) { 
    112112            $headers = @get_headers($url, 1); 
    113113            if ($headers === FALSE || (isset($headers[0]) && strstr($headers[0], '404') !== FALSE)) 
    114                 wp_die(urldecode($_GET['url']).' '.__('not found', $sermon_domain), __('URL not found', $sermon_domain), array('response' => 404)); 
     114                wp_die(htmlentities(rawurldecode($_GET['url'])).' '.__('not found', $sermon_domain), __('URL not found', $sermon_domain), array('response' => 404)); 
    115115            $headers = array_change_key_case($headers,CASE_LOWER); 
    116116            if (isset($headers['location'])) { 
     
    158158    if (isset($_GET['show']) AND isset($_GET['file_name'])) { 
    159159        global $filetypes; 
    160         $file_name = $wpdb->escape(urldecode($_GET['file_name'])); 
     160        $file_name = $wpdb->escape(rawurldecode($_GET['file_name'])); 
    161161        $file_name = $wpdb->get_var("SELECT name FROM {$wpdb->prefix}sb_stuff WHERE name='{$file_name}'"); 
    162162        if (!is_null($file_name)) { 
     
    166166            die(); 
    167167        } else 
    168             wp_die(urldecode($_GET['file_name']).' '.__('not found', $sermon_domain), __('File not found', $sermon_domain), array('response' => 404)); 
     168            wp_die(htmlentities(rawurldecode($_GET['file_name'])).' '.__('not found', $sermon_domain), __('File not found', $sermon_domain), array('response' => 404)); 
    169169    } 
    170170 
    171171    //Returns contents of external URL(doesn't force download) 
    172172    if (isset($_REQUEST['show']) AND isset($_REQUEST['url'])) { 
    173         $url = URLDecode($_GET['url']); 
     173        $url = rawurldecode($_GET['url']); 
    174174        sb_increase_download_count ($url); 
    175175        header('Location: '.$url); 
     
    209209    // Register [sermon] shortcode handler 
    210210    add_shortcode('sermons', 'sb_shortcode'); 
     211    add_shortcode('sermon', 'sb_shortcode'); 
    211212 
    212213    // Attempt to set php.ini directives 
     
    252253        add_action('wp_head', 'sb_add_headers', 0); 
    253254        add_action('wp_head', 'wp_print_styles', 9); 
     255        add_action('admin_bar_menu', 'sb_admin_bar_menu'); 
    254256        add_filter('wp_title', 'sb_page_title'); 
    255257        if (defined('SAVEQUERIES') && SAVEQUERIES) 
     
    271273function sb_add_pages() { 
    272274    global $sermon_domain; 
    273     add_menu_page(__('Sermons', $sermon_domain), __('Sermons', $sermon_domain), 'edit_posts', __FILE__, 'sb_manage_sermons', SB_PLUGIN_URL.'/sb-includes/sb-icon.png'); 
    274     add_submenu_page(__FILE__, __('Sermons', $sermon_domain), __('Sermons', $sermon_domain), 'edit_posts', __FILE__, 'sb_manage_sermons'); 
     275    add_menu_page(__('Sermons', $sermon_domain), __('Sermons', $sermon_domain), 'publish_posts', __FILE__, 'sb_manage_sermons', SB_PLUGIN_URL.'/sb-includes/sb-icon.png'); 
     276    add_submenu_page(__FILE__, __('Sermons', $sermon_domain), __('Sermons', $sermon_domain), 'publish_posts', __FILE__, 'sb_manage_sermons'); 
    275277    if (isset($_REQUEST['page']) && $_REQUEST['page'] == 'sermon-browser/new_sermon.php' && isset($_REQUEST['mid'])) { 
    276278        add_submenu_page(__FILE__, __('Edit Sermon', $sermon_domain), __('Edit Sermon', $sermon_domain), 'publish_posts', 'sermon-browser/new_sermon.php', 'sb_new_sermon'); 
     
    284286    add_submenu_page(__FILE__, __('Templates', $sermon_domain), __('Templates', $sermon_domain), 'manage_options', 'sermon-browser/templates.php', 'sb_templates'); 
    285287    add_submenu_page(__FILE__, __('Uninstall', $sermon_domain), __('Uninstall', $sermon_domain), 'edit_plugins', 'sermon-browser/uninstall.php', 'sb_uninstall'); 
    286     add_submenu_page(__FILE__, __('Help', $sermon_domain), __('Help', $sermon_domain), 'edit_posts', 'sermon-browser/help.php', 'sb_help'); 
     288    add_submenu_page(__FILE__, __('Help', $sermon_domain), __('Help', $sermon_domain), 'publish_posts', 'sermon-browser/help.php', 'sb_help'); 
     289    add_submenu_page(__FILE__, __('Pray for Japan', $sermon_domain), __('Pray for Japan', $sermon_domain), 'publish_posts', 'sermon-browser/japan.php', 'sb_japan'); 
    287290} 
    288291 
     
    371374function sb_display_front_end() { 
    372375    global $wpdb, $post; 
    373     $pageid = $wpdb->get_var("SELECT ID FROM {$wpdb->posts} WHERE post_content LIKE '%[sermons%' AND (post_status = 'publish' OR post_status = 'private') AND ID={$post->ID} AND post_date < NOW();"); 
     376    $pageid = $wpdb->get_var("SELECT ID FROM {$wpdb->posts} WHERE post_content LIKE '%[sermon%' AND (post_status = 'publish' OR post_status = 'private') AND ID={$post->ID} AND post_date < NOW();"); 
    374377    if ($pageid === NULL) 
    375378        return FALSE; 
     
    379382 
    380383/** 
     384* Get the page_id of the main sermons page 
     385* 
     386* @return integer 
     387*/ 
     388function sb_get_page_id() { 
     389    global $wpdb, $post; 
     390    $pageid = $wpdb->get_var("SELECT ID FROM {$wpdb->posts} WHERE post_content LIKE '%[sermons]%' AND (post_status = 'publish' OR post_status = 'private') AND post_date < NOW();"); 
     391    if (!$pageid) 
     392        $pageid = $wpdb->get_var("SELECT ID FROM {$wpdb->posts} WHERE post_content LIKE '%[sermon %' AND (post_status = 'publish' OR post_status = 'private') AND post_date < NOW();"); 
     393    if (!$pageid) 
     394        return 0; 
     395    else 
     396        return intval($pageid); 
     397} 
     398 
     399/** 
    381400* Get the URL of the main sermons page 
    382401* 
     
    386405    global $wpdb, $post, $sb_display_url; 
    387406    if ($sb_display_url == '') { 
    388         $pageid = $wpdb->get_var("SELECT ID FROM {$wpdb->posts} WHERE post_content LIKE '%[sermons]%' AND (post_status = 'publish' OR post_status = 'private') AND post_date < NOW();"); 
    389         if (!$pageid) 
    390             $pageid = $wpdb->get_var("SELECT ID FROM {$wpdb->posts} WHERE post_content LIKE '%[sermons %' AND (post_status = 'publish' OR post_status = 'private') AND post_date < NOW();"); 
    391         if (!$pageid) 
     407        $pageid = sb_get_page_id(); 
     408        if ($pageid == 0) 
    392409            return '#'; 
    393         $sb_display_url = get_permalink($pageid); 
    394         if ($sb_display_url == get_bloginfo('wpurl') || $sb_display_url == '') // Hack to force true permalink even if page used for front page. 
    395             $sb_display_url = get_bloginfo('wpurl').'/?page_id='.$pageid; 
     410        if (defined('SB_AJAX') && SB_AJAX) 
     411            return get_bloginfo('wpurl').'/?page_id='.$pageid; // Don't use permalinks in Ajax calls 
     412        else { 
     413            $sb_display_url = get_permalink($pageid); 
     414            if ($sb_display_url == get_bloginfo('wpurl') || $sb_display_url == '') // Hack to force true permalink even if page used for front page. 
     415                $sb_display_url = get_bloginfo('wpurl').'/?page_id='.$pageid; 
     416            } 
    396417    } 
    397418    return $sb_display_url; 
     
    457478        'preacher' => isset($_REQUEST['preacher']) ? $_REQUEST['preacher'] : '', 
    458479        'series' => isset($_REQUEST['series']) ? $_REQUEST['series'] : '', 
    459         'book' => isset($_REQUEST['book']) ? $_REQUEST['book'] : '', 
     480        'book' => isset($_REQUEST['book']) ? stripslashes($_REQUEST['book']) : '', 
    460481        'service' => isset($_REQUEST['service']) ? $_REQUEST['service'] : '', 
    461482        'date' => isset($_REQUEST['date']) ? $_REQUEST['date'] : '', 
    462483        'enddate' => isset($_REQUEST['enddate']) ? $_REQUEST['enddate'] : '', 
    463         'tag' => isset($_REQUEST['stag']) ? $_REQUEST['stag'] : '', 
    464         'title' => isset($_REQUEST['title']) ? $_REQUEST['title'] : '', 
    465     ), $atts); 
     484        'tag' => isset($_REQUEST['stag']) ? stripslashes($_REQUEST['stag']) : '', 
     485        'title' => isset($_REQUEST['title']) ? stripslashes($_REQUEST['title']) : '', 
     486        'limit' => '0', 
     487        'dir' => isset($_REQUEST['dir']) ? stripslashes($_REQUEST['dir']) : '', ), 
     488    $atts); 
    466489    if ($atts['id'] != '') { 
    467490        if (strtolower($atts['id']) == 'latest') { 
    468491            $atts['id'] = ''; 
     492            $wpdb->query('SET SQL_BIG_SELECTS=1'); 
    469493            $query = $wpdb->get_results(sb_create_multi_sermon_query($atts, array(), 1, 1)); 
    470494            $atts['id'] = $query[0]->id; 
     
    480504    } else { 
    481505        if (isset($_REQUEST['sortby'])) 
    482             $sort_criteria = $_REQUEST['sortby']; 
     506            $sort_criteria = $wpdb->escape($_REQUEST['sortby']); 
    483507        else 
    484508            $sort_criteria = 'm.datetime'; 
    485         if (isset($_REQUEST['dir'])) 
    486             $dir = $_REQUEST['dir']; 
     509        if (!empty($atts['dir'])) 
     510            $dir = $wpdb->escape($atts['dir']); 
    487511        elseif ($sort_criteria == 'm.datetime') 
    488512            $dir = 'desc'; 
     
    495519            $page = 1; 
    496520        $hide_empty = sb_get_option('hide_no_attachments'); 
    497         $sermons = sb_get_sermons($atts, $sort_order, $page, 0, $hide_empty); 
     521        $sermons = sb_get_sermons($atts, $sort_order, $page, (int)$atts['limit'], $hide_empty); 
    498522        $output = '?>'.sb_get_option('search_output'); 
    499523        eval($output); 
     
    704728    if ($limit == 0) 
    705729        $limit = sb_get_option('sermons_per_page'); 
     730    $wpdb->query('SET SQL_BIG_SELECTS=1'); 
    706731    $query = $wpdb->get_results(sb_create_multi_sermon_query($filter, $order, $page, $limit, $hide_empty)); 
    707732    $record_count = $wpdb->get_var("SELECT FOUND_ROWS()"); 
     
    774799    $offset = $limit * ($page - 1); 
    775800    if ($order['by'] == 'b.id' ) { 
    776         $order['by'] = 'b.id '.$order['dir'].', bs.chapter '.$order['dir'].', bs.verse'; 
     801        $order['by'] = 'b.id '.$wpdb->escape($order['dir']).', bs.chapter '.$wpdb->escape($order['dir']).', bs.verse'; 
    777802    } 
    778803    return "SELECT SQL_CALC_FOUND_ROWS DISTINCT m.id, m.title, m.description, m.datetime, m.time, m.start, m.end, p.id as pid, p.name as preacher, p.description as preacher_description, p.image, s.id as sid, s.name as service, ss.id as ssid, ss.name as series 
     
    781806        LEFT JOIN {$wpdb->prefix}sb_services as s ON m.service_id = s.id 
    782807        LEFT JOIN {$wpdb->prefix}sb_series as ss ON m.series_id = ss.id 
    783         LEFT JOIN {$wpdb->prefix}sb_books_sermons as bs ON bs.sermon_id = m.id $bs 
     808        LEFT JOIN {$wpdb->prefix}sb_books_sermons as bs ON bs.sermon_id = m.id {$bs} 
    784809        LEFT JOIN {$wpdb->prefix}sb_books as b ON bs.book_name = b.name 
    785810        LEFT JOIN {$wpdb->prefix}sb_sermons_tags as st ON st.sermon_id = m.id 
     
    873898    return $path; 
    874899} 
     900 
     901// Replacement for get_admin_url for pre WP 3.0 compatability 
     902function sb_get_admin_url($blog_id = null, $path = '', $scheme = 'admin') { 
     903    if (function_exists('get_admin_url')) 
     904        return get_admin_url($blog_id, $path, $scheme); 
     905    else { 
     906        $url = trailingslashit(get_option('siteurl')).'wp-admin/'; 
     907        if (!empty($path) && is_string($path) && strpos($path, '..') === false) 
     908            $url .= ltrim($path, '/'); 
     909        return $url; 
     910    } 
     911} 
    875912?> 
Note: See TracChangeset for help on using the changeset viewer.