WordPress.org

Plugin Directory

Changeset 773534


Ignore:
Timestamp:
09/16/13 18:40:08 (4 years ago)
Author:
bhengh
Message:

Updating to 0.45.12 (more bug fixes)

Location:
sermon-browser/trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • sermon-browser/trunk/sb-includes/admin.php

    r753109 r773534  
    127127            if (sb_mkdir(SB_ABSPATH.$dir)) 
    128128                @chmod(SB_ABSPATH.$dir, 0777); 
    129         if(!is_dir(SB_ABSPATH.$dir.'images') && sb_mkdir(SB_ABSPATH.$sermonUploadDir.'images')) 
     129        if(!is_dir(SB_ABSPATH.$dir.'images') && sb_mkdir(SB_ABSPATH.$dir.'images')) 
    130130            @chmod(SB_ABSPATH.$dir.'images', 0777); 
    131131           $checkSermonUpload = sb_checkSermonUploadable(); 
     
    435435    //Save changes 
    436436    if (isset($_POST['save'])) { 
    437         $name = $wpdb->escape($_POST['name']); 
    438         $description = $wpdb->escape($_POST['description']); 
     437        $name = esc_sql($_POST['name']); 
     438        $description = esc_sql($_POST['description']); 
    439439        $error = false; 
    440440        $pid = (int) $_REQUEST['pid']; 
     
    812812                        fclose($remote_file); 
    813813                        fclose($file); 
    814                         $wpdb->query("INSERT INTO {$wpdb->prefix}sb_stuff VALUES (null, 'file', '".$wpdb->escape($filename)."', 0, 0, 0)"); 
     814                        $wpdb->query("INSERT INTO {$wpdb->prefix}sb_stuff VALUES (null, 'file', '".esc_sql($filename)."', 0, 0, 0)"); 
    815815                        echo "<script>document.location = '".admin_url('admin.php?page=sermon-browser/new_sermon.php&getid3='.$wpdb->insert_id)."';</script>"; 
    816816                    } 
    817817                } else { 
    818                     $wpdb->query("INSERT INTO {$wpdb->prefix}sb_stuff VALUES (null, 'url', '".$wpdb->escape($url)."', 0, 0, 0)"); 
     818                    $wpdb->query("INSERT INTO {$wpdb->prefix}sb_stuff VALUES (null, 'url', '".esc_sql($url)."', 0, 0, 0)"); 
    819819                    echo "<script>document.location = '".admin_url('admin.php?page=sermon-browser/new_sermon.php&getid3='.$wpdb->insert_id)."';</script>"; 
    820820                    die(); 
     
    13261326    if (isset($_POST['save']) && isset($_POST['title'])) { 
    13271327    // prepare 
    1328         $title = $wpdb->escape($_POST['title']); 
     1328        $title = esc_sql($_POST['title']); 
    13291329        $preacher_id = (int) $_POST['preacher']; 
    13301330        $service_id = (int) $_POST['service']; 
    13311331        $series_id = (int) $_POST['series']; 
    1332         $time = isset($_POST['time']) ? $wpdb->escape($_POST['time']) : ''; 
     1332        $time = isset($_POST['time']) ? esc_sql($_POST['time']) : ''; 
    13331333        $startz = $endz = array(); 
    13341334        for ($foo = 0; $foo < count($_POST['start']['book']); $foo++) { 
     
    13461346            } 
    13471347        } 
    1348         $start = $wpdb->escape(serialize($startz)); 
    1349         $end = $wpdb->escape(serialize($endz)); 
     1348        $start = esc_sql(serialize($startz)); 
     1349        $end = esc_sql(serialize($endz)); 
    13501350        $date = strtotime($_POST['date']); 
    13511351        $override = (isset($_POST['override']) && $_POST['override'] == 'on') ? 1 : 0; 
     
    13661366        } 
    13671367        // edit or not edit 
    1368         if (!$_GET['mid']) { // new 
     1368        if ( !isset($_GET['mid']) or !$_GET['mid'] ) { // new 
    13691369            //Security check 
    13701370            if (!current_user_can('publish_pages')) 
     
    14131413                    $prefix = ''; 
    14141414                    $dest = SB_ABSPATH.sb_get_option('upload_dir').$prefix.$filename; 
    1415                     if ($wpdb->get_var("SELECT COUNT(*) FROM {$wpdb->prefix}sb_stuff WHERE name = '".$wpdb->escape($filename)."'") == 0 && move_uploaded_file($_FILES['upload']['tmp_name'][$uid], $dest)) { 
     1415                    if ($wpdb->get_var("SELECT COUNT(*) FROM {$wpdb->prefix}sb_stuff WHERE name = '".esc_sql($filename)."'") == 0 && move_uploaded_file($_FILES['upload']['tmp_name'][$uid], $dest)) { 
    14161416                        $filename = $prefix.mysql_real_escape_string($filename); 
    1417                         $wpdb->query("INSERT INTO {$wpdb->prefix}sb_stuff VALUES (null, 'file', '".$wpdb->escape($filename)."', $id, 0, 0)"); 
     1417                        $wpdb->query("INSERT INTO {$wpdb->prefix}sb_stuff VALUES (null, 'file', '".esc_sql($filename)."', $id, 0, 0)"); 
    14181418                    } else { 
    14191419                        echo '<div id="message" class="updated fade"><p><b>'.$filename.__(' already exists.', $sermon_domain).'</b></div>'; 
     
    14641464    $id3_tags = array(); 
    14651465    if (isset($_GET['getid3'])) { 
    1466         $file_data = $wpdb->get_row("SELECT name, type FROM {$wpdb->prefix}sb_stuff WHERE id = ".$wpdb->escape($_GET['getid3'])); 
     1466        $file_data = $wpdb->get_row("SELECT name, type FROM {$wpdb->prefix}sb_stuff WHERE id = ".esc_sql($_GET['getid3'])); 
    14671467        if ($file_data !== NULL) { 
    14681468            if ( ! class_exists( 'getID3' ) ) { 
     
    15321532                $filename = substr($filename, 0, strrpos($filename, '.')); 
    15331533                $filename = str_replace ('--', '-', str_replace ('/', '-', $filename)); 
    1534                 $filename = trim(ereg_replace('[^0-9-]', '', $filename), '-'); 
    1535                 $date = explode('-', $filename, 3); 
     1534                $filename = trim(preg_replace('/[^0-9-]/', '', $filename), '-'); 
     1535                $date = explode('-', $filename); 
    15361536                $id3_tags['date'] = ''; 
    15371537                if (count($date) >= 3) { 
     
    23492349        $player = ''; 
    23502350    } else { 
    2351         $limit = attribute_escape($options[$number]['limit']); 
    2352         $preacher = attribute_escape($options[$number]['preacher']); 
    2353         $service = attribute_escape($options[$number]['service']); 
    2354         $series = attribute_escape($options[$number]['series']); 
     2351        $limit = esc_attr($options[$number]['limit']); 
     2352        $preacher = esc_attr($options[$number]['preacher']); 
     2353        $service = esc_attr($options[$number]['service']); 
     2354        $series = esc_attr($options[$number]['series']); 
    23552355        $preacherz = (int) $options[$number]['preacherz']; 
    23562356        $book = (int) $options[$number]['book']; 
    2357         $title = attribute_escape($options[$number]['title']); 
     2357        $title = esc_attr($options[$number]['title']); 
    23582358        $date = (int) $options[$number]['date']; 
    2359         $player = attribute_escape($options[$number]['player']); 
     2359        $player = esc_attr($options[$number]['player']); 
    23602360    } 
    23612361 
     
    24312431    } 
    24322432 
    2433     $title = attribute_escape($options['title']); 
    2434     $limit = attribute_escape($options['limit']); 
    2435     $display_sermons = (boolean) attribute_escape($options['display_sermons']); 
    2436     $display_series = (boolean) attribute_escape($options['display_series']); 
    2437     $display_preachers = (boolean) attribute_escape($options['display_preachers']); 
     2433    $title = esc_attr($options['title']); 
     2434    $limit = esc_attr($options['limit']); 
     2435    $display_sermons = (boolean) esc_attr($options['display_sermons']); 
     2436    $display_series = (boolean) esc_attr($options['display_series']); 
     2437    $display_preachers = (boolean) esc_attr($options['display_preachers']); 
    24382438 
    24392439?> 
  • sermon-browser/trunk/sb-includes/frontend.php

    r748934 r773534  
    708708    echo '<div class="sermon_file">'; 
    709709    sb_print_url ($url); 
    710     if (substr($url, -4) == ".mp3") { 
     710    if (strtolower(substr($url, -4)) == ".mp3") { 
    711711        if ((substr($url,0,7) == "http://") or (substr($url,0,8) == 'https://')) { 
    712712            $param="url"; } 
  • sermon-browser/trunk/sb-includes/podcast.php

    r753109 r773534  
    2525    global $wpdb; 
    2626    if (strtolower(substr($media_name, -3)) == 'mp3' && $media_type == 'Files') { 
    27         $duration = $wpdb->get_var("SELECT duration FROM {$wpdb->prefix}sb_stuff WHERE type = 'file' AND name = '".$wpdb->escape($media_name)."'"); 
     27        $duration = $wpdb->get_var("SELECT duration FROM {$wpdb->prefix}sb_stuff WHERE type = 'file' AND name = '".esc_sql($media_name)."'"); 
    2828        if ($duration) 
    2929            return $duration; 
     
    3838            $MediaFileInfo = $getID3->analyze(SB_ABSPATH.sb_get_option('upload_dir').$media_name); 
    3939            $duration = isset($MediaFileInfo['playtime_string']) ? $MediaFileInfo['playtime_string'] : ''; 
    40             $wpdb->query("UPDATE {$wpdb->prefix}sb_stuff SET duration = '".$wpdb->escape($duration)."' WHERE type = 'file' AND name = '".$wpdb->escape($media_name)."'"); 
     40            $wpdb->query("UPDATE {$wpdb->prefix}sb_stuff SET duration = '".esc_sql($duration)."' WHERE type = 'file' AND name = '".esc_sql($media_name)."'"); 
    4141            return $duration; 
    4242        } 
  • sermon-browser/trunk/sb-includes/sb-install.php

    r748934 r773534  
    418418 
    419419div.net p.poetry { 
    420     font-style: italics; 
     420    font-style: italic; 
    421421    margin: 0 
    422422} 
  • sermon-browser/trunk/sermon.php

    r753109 r773534  
    55Description: Upload sermons to your website, where they can be searched, listened to, and downloaded. Easy to use with comprehensive help and tutorials. 
    66Author: Mark Barnes 
    7 Version: 0.45.11 
     7Version: 0.45.12 
    88Author URI: http://www.4-14.org.uk/ 
    99 
     
    5454* @package common_functions 
    5555*/ 
    56 define('SB_CURRENT_VERSION', '0.45.11'); 
     56define('SB_CURRENT_VERSION', '0.45.12'); 
    5757define('SB_DATABASE_VERSION', '1.7'); 
    5858sb_define_constants(); 
     
    7373 
    7474    global $filetypes, $wpdb, $sermon_domain; 
    75  
    76     if (function_exists('wp_timezone_supported') && wp_timezone_supported()) 
     75     
     76    if ( version_compare(get_bloginfo('version'), '3.2', '>=') || (function_exists('wp_timezone_supported') && wp_timezone_supported()) ) 
    7777        wp_timezone_override_offset(); 
    7878 
     
    8484    //Forces sermon download of local file 
    8585    if (isset($_GET['download']) AND isset($_GET['file_name'])) { 
    86         $file_name = $wpdb->escape(rawurldecode($_GET['file_name'])); 
     86        $file_name = esc_sql(rawurldecode($_GET['file_name'])); 
    8787        $file_name = $wpdb->get_var("SELECT name FROM {$wpdb->prefix}sb_stuff WHERE name='{$file_name}'"); 
    8888        if (!is_null($file_name)) { 
     
    9393            header("Content-Type: application/octet-stream"); 
    9494            header("Content-Type: application/download"); 
    95             header('Content-Disposition: attachment; filename="'.$file_name.'";'); 
     95            header('Content-Disposition: attachment; filename="'.$file_name.'"'); 
    9696            header("Content-Transfer-Encoding: binary"); 
    9797            sb_increase_download_count ($file_name); 
     
    140140                header ('Content-Disposition: '.$headers['content-disposition']); 
    141141            else 
    142                 header('Content-Disposition: attachment; filename="'.basename($url).'";'); 
     142                header('Content-Disposition: attachment; filename="'.basename($url).'"'); 
    143143            header("Content-Transfer-Encoding: binary"); 
    144144            header($_SERVER['SERVER_PROTOCOL'].' 200 OK'); 
     
    158158    if (isset($_GET['show']) AND isset($_GET['file_name'])) { 
    159159        global $filetypes; 
    160         $file_name = $wpdb->escape(rawurldecode($_GET['file_name'])); 
     160        $file_name = esc_sql(rawurldecode($_GET['file_name'])); 
    161161        $file_name = $wpdb->get_var("SELECT name FROM {$wpdb->prefix}sb_stuff WHERE name='{$file_name}'"); 
    162162        if (!is_null($file_name)) { 
     
    516516    } else { 
    517517        if (isset($_REQUEST['sortby'])) 
    518             $sort_criteria = $wpdb->escape($_REQUEST['sortby']); 
     518            $sort_criteria = esc_sql($_REQUEST['sortby']); 
    519519        else 
    520520            $sort_criteria = 'm.datetime'; 
    521521        if (!empty($atts['dir'])) 
    522             $dir = $wpdb->escape($atts['dir']); 
     522            $dir = esc_sql($atts['dir']); 
    523523        elseif ($sort_criteria == 'm.datetime') 
    524524            $dir = 'desc'; 
     
    775775    $filter = array_merge($default_filter, (array)$filter); 
    776776    $order = array_merge($default_order, (array)$order); 
     777    if ( strtolower($order['dir']) != 'desc' and strtolower($order['dir']) != 'asc' ) 
     778        $order['dir'] = $default_order['dir']; 
     779    $valid_sortby_values = array( 'm.id', 'm.title', 'm.datetime', 'm.start', 'm.end', 'p.id', 'p.name', 's.id', 's.name', 'ss.id', 'ss.name'); 
     780    if ( !in_array($order['by'], $valid_sortby_values) ) 
     781        $order['by'] = $default_order['by']; 
    777782    $page = (int) $page; 
    778783    $cond = '1=1 '; 
    779784    if ($filter['title'] != '') { 
    780         $cond .= "AND (m.title LIKE '%" . $wpdb->escape($filter['title']) . "%' OR m.description LIKE '%" . $wpdb->escape($filter['title']). "%' OR t.name LIKE '%" . $wpdb->escape($filter['title']) . "%') "; 
     785        $cond .= "AND (m.title LIKE '%" . esc_sql($filter['title']) . "%' OR m.description LIKE '%" . esc_sql($filter['title']). "%' OR t.name LIKE '%" . esc_sql($filter['title']) . "%') "; 
    781786    } 
    782787    if ($filter['preacher'] != 0) { 
     
    784789    } 
    785790    if ($filter['date'] != '') { 
    786         $cond .= 'AND m.datetime >= "' . $wpdb->escape($filter['date']) . '" '; 
     791        $cond .= 'AND m.datetime >= "' . esc_sql($filter['date']) . '" '; 
    787792    } 
    788793    if ($filter['enddate'] != '') { 
    789         $cond .= 'AND m.datetime <= "' . $wpdb->escape($filter['enddate']) . '" '; 
     794        $cond .= 'AND m.datetime <= "' . esc_sql($filter['enddate']) . '" '; 
    790795    } 
    791796    if ($filter['series'] != 0) { 
     
    796801    } 
    797802    if ($filter['book'] != '') { 
    798         $cond .= 'AND bs.book_name = "' . $wpdb->escape($filter['book']) . '" '; 
     803        $cond .= 'AND bs.book_name = "' . esc_sql($filter['book']) . '" '; 
    799804    } else { 
    800805        $bs = "AND bs.order = 0 AND bs.type= 'start' "; 
    801806    } 
    802807    if ($filter['tag'] != '') { 
    803         $cond .= "AND t.name LIKE '%" . $wpdb->escape($filter['tag']) . "%' "; 
     808        $cond .= "AND t.name LIKE '%" . esc_sql($filter['tag']) . "%' "; 
    804809    } 
    805810    if ($filter['id'] != '') { 
    806         $cond .= "AND m.id LIKE '" . $wpdb->escape($filter['id']) . "' "; 
     811        $cond .= "AND m.id LIKE '" . esc_sql($filter['id']) . "' "; 
    807812    } 
    808813    if ($hide_empty) { 
     
    811816    $offset = $limit * ($page - 1); 
    812817    if ($order['by'] == 'b.id' ) { 
    813         $order['by'] = 'b.id '.$wpdb->escape($order['dir']).', bs.chapter '.$wpdb->escape($order['dir']).', bs.verse'; 
     818        $order['by'] = 'b.id '.esc_sql($order['dir']).', bs.chapter '.esc_sql($order['dir']).', bs.verse'; 
    814819    } 
    815820    return "SELECT SQL_CALC_FOUND_ROWS DISTINCT m.id, m.title, m.description, m.datetime, m.time, m.start, m.end, p.id as pid, p.name as preacher, p.description as preacher_description, p.image, s.id as sid, s.name as service, ss.id as ssid, ss.name as series 
     
    876881    if (function_exists('current_user_can')&&!(current_user_can('edit_posts')|current_user_can('publish_posts'))) { 
    877882        global $wpdb; 
    878         $wpdb->query("UPDATE ".$wpdb->prefix."sb_stuff SET COUNT=COUNT+1 WHERE name='".$wpdb->escape($stuff_name)."'"); 
     883        $wpdb->query("UPDATE ".$wpdb->prefix."sb_stuff SET COUNT=COUNT+1 WHERE name='".esc_sql($stuff_name)."'"); 
    879884    } 
    880885} 
Note: See TracChangeset for help on using the changeset viewer.