Issues in pluginsmanager.php (master) - Issues in master - XoopsModules25x/apcal - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1210)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

admin/pluginsmanager.php (1 issue)

Labels

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/*
 * You may not change or alter any portion of this comment or credits
 * of supporting developers from this source code or any supporting source code
 * which is considered copyrighted (c) material of the original comment or credit authors.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 */

/**
 * @copyright   {@link http://xoops.org/ XOOPS Project}
 * @license     {@link http://www.fsf.org/copyleft/gpl.html GNU public license}
 * @package
 * @since
 * @author       XOOPS Development Team,
 * @author       GIJ=CHECKMATE (PEAK Corp. http://www.peak.ne.jp/)
 */

require_once __DIR__ . '/../../../include/cp_header.php';
require_once __DIR__ . '/../class/APCal.php';
require_once __DIR__ . '/../class/APCal_xoops.php';

// for "Duplicatable"
$moduleDirName = basename(dirname(__DIR__));
if (!preg_match('/^(\D+)(\d*)$/', $moduleDirName, $regs)) {
    echo('invalid dirname: ' . htmlspecialchars($moduleDirName));
}
$mydirnumber = $regs[2] === '' ? '' : (int)$regs[2];

require_once XOOPS_ROOT_PATH . "/modules/$moduleDirName/include/gtickets.php";

// fetch & sanitize from POST & GET
$action = empty($_POST['action']) ? '' : preg_replace('/[^a-zA-Z0-9_-]/', '', $_POST['type']);
$type   = empty($_GET['type']) ? 'monthly' : preg_replace('/[^a-zA-Z0-9_-]/', '', $_GET['type']);

$limit_type    = preg_replace('/([^0-9A-Za-z_.-]+)/', '', @$_GET['limit_type']);
$limit_dirname = preg_replace('/([^0-9A-Za-z_.-]+)/', '', @$_GET['limit_dirname']);
$limit_file    = preg_replace('/([^0-9A-Za-z_.-]+)/', '', @$_GET['limit_file']);

// connection to MySQL
$conn = $GLOBALS['xoopsDB']->conn;

// setting physical & virtual paths
$mod_path = XOOPS_ROOT_PATH . "/modules/$moduleDirName";
$mod_url  = XOOPS_URL . "/modules/$moduleDirName";

// creating an instance of APCal
$cal = new APCal_xoops('', $xoopsConfig['language'], true);

// setting properties of APCal
$cal->conn = $conn;
include __DIR__ . '/../include/read_configs.php';
$cal->base_url    = $mod_url;
$cal->base_path   = $mod_path;
$cal->images_url  = "$mod_url/assets/images/$skin_folder";
$cal->images_path = "$mod_path/assets/images/$skin_folder";

// XOOPS´ØÏ¢¤Î½é´ü²½
$myts = MyTextSanitizer::getInstance();

// get block instances of minicalex
$mcx_blocks = array();
if (substr(XOOPS_VERSION, 6, 3) > 2.0) {
    // block instance of XOOPS 2.1/2.2
    $mcx_rs = $GLOBALS['xoopsDB']->query('SELECT i.instanceid,i.title FROM '
                                         . $GLOBALS['xoopsDB']->prefix('block_instance')
                                         . ' i LEFT JOIN '
                                         . $GLOBALS['xoopsDB']->prefix('newblocks')
                                         . " b ON i.bid=b.bid WHERE b.mid='"
                                         . $xoopsModule->getVar('mid')
                                         . "' AND b.show_func='apcal_minical_ex_show'");
} else {
    // newblocks of XOOPS 2.0.x
    $mcx_rs = $GLOBALS['xoopsDB']->query('SELECT bid,title FROM '
                                         . $GLOBALS['xoopsDB']->prefix('newblocks')
                                         . " WHERE mid='"
                                         . $xoopsModule->getVar('mid')
                                         . "' AND show_func='apcal_minical_ex_show'");
}
while (list($bid, $title) = $GLOBALS['xoopsDB']->fetchRow($mcx_rs)) {
    $mcx_blocks[$bid] = $title;
}

// ¥Ç¡¼¥¿¥Ù¡¼¥¹¹¹¿·¤Ê¤É¤¬¤«¤é¤à½èÍý
if (!empty($_POST['update'])) {

    // Ticket Check
    if (!$xoopsGTicket->check()) {
        redirect_header(XOOPS_URL . '/', 3, $xoopsGTicket->getErrors());
    }

    // new
    if (!empty($_POST['pi_types'][0])) {
        if ($_POST['pi_types'][0] === 'all') {
            $types = array('monthly', 'weekly', 'daily');
            foreach ($mcx_blocks as $bid => $title) {
                $types[] = "mcx{$bid}";
            }
        } else {
            $types = array(addslashes($_POST['pi_types'][0]));
        }

        $pi_options4sql = addslashes($_POST['pi_options'][0]);
        $pi_weight4sql  = (int)$_POST['pi_weight'][0];
        $pi_title4sql   = addslashes($_POST['pi_titles'][0]);
        $pi_dirname4sql = addslashes($_POST['pi_dirnames'][0]);
        $pi_file4sql    = addslashes($_POST['pi_files'][0]);
        $pi_dotgif4sql  = addslashes($_POST['pi_dotgifs'][0]);

        foreach ($types as $type) {
            $type4sql = addslashes($type);
            if (!$GLOBALS['xoopsDB']->query("INSERT INTO $cal->plugin_table SET pi_type='$type4sql', pi_options='$pi_options4sql', pi_weight='$pi_weight4sql', pi_title='$pi_title4sql', pi_dirname='$pi_dirname4sql', pi_file='$pi_file4sql', pi_dotgif='$pi_dotgif4sql', pi_enabled='1'",
                                            $conn)
            ) {
                die($GLOBALS['xoopsDB']->error());
            }
        }
    }

    // ¥Ð¥Ã¥Á¥¢¥Ã¥×¥Ç¡¼¥È
    foreach (array_keys($_POST['pi_titles']) as $pi_id) {
        if ($pi_id <= 0) {
            continue;
        }
        if (!empty($_POST['deletes'][$pi_id])) {
            if (!$GLOBALS['xoopsDB']->query("DELETE FROM $cal->plugin_table WHERE pi_id=$pi_id")) {
                die($GLOBALS['xoopsDB']->error());
            }
        } else {
            $pi_type4sql    = addslashes($_POST['pi_types'][$pi_id]);
            $pi_options4sql = addslashes($_POST['pi_options'][$pi_id]);
            $pi_weight4sql  = (int)$_POST['pi_weight'][$pi_id];
            $pi_title4sql   = addslashes($_POST['pi_titles'][$pi_id]);
            $pi_title4sql   = addslashes($_POST['pi_titles'][$pi_id]);
            $pi_dirname4sql = addslashes($_POST['pi_dirnames'][$pi_id]);
            $pi_file4sql    = addslashes($_POST['pi_files'][$pi_id]);
            $pi_dotgif4sql  = addslashes($_POST['pi_dotgifs'][$pi_id]);
            $pi_enabled4sql = !empty($_POST['pi_enableds'][$pi_id]) ? 1 : 0;

            if (!$GLOBALS['xoopsDB']->query("UPDATE $cal->plugin_table SET pi_type='$pi_type4sql', pi_options='$pi_options4sql', pi_weight='$pi_weight4sql', pi_title='$pi_title4sql', pi_dirname='$pi_dirname4sql', pi_file='$pi_file4sql', pi_dotgif='$pi_dotgif4sql', pi_enabled='$pi_enabled4sql' WHERE pi_id=$pi_id",
                                            $conn)
            ) {
                die($GLOBALS['xoopsDB']->error());
            }
        }
    }

    // remove cache of APCal minical_ex
    if ($handler = opendir(XOOPS_CACHE_PATH . '/')) {
        while (($file = readdir($handler)) !== false) {
            if (substr($file, 0, 16) === 'APCal_minical_ex') {
                @unlink(XOOPS_CACHE_PATH . '/' . $file);
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
            }
        }
    }

    $mes                 = urlencode(sprintf(_AM_APCAL_PI_UPDATED));
    $redirect_str4header = strtr("Location: $cal->connection://{$_SERVER['HTTP_HOST']}{$_SERVER['PHP_SELF']}?mes=$mes&limit_type=$limit_type&limit_dirname=$limit_dirname&limit_file=$limit_file",
                                 "\r\n\0", '   ');

    header($redirect_str4header);
    exit;
}

// ¥á¥¤¥ó½ÐÎÏÉô
xoops_cp_header();

echo '<h4>' . _MI_APCAL_ADMENU_PLUGINS . "</h4>\n";

if (!empty($_GET['mes'])) {
    echo "<p><font color='blue'>" . htmlspecialchars($_GET['mes'], ENT_QUOTES) . '</font></p>';
}

// mains (monthly, weekly, daily)
$type_options = "<option value='monthly'>" . _AM_APCAL_PI_VIEWMONTHLY . "</option>\n";
$type_options .= "<option value='weekly'>" . _AM_APCAL_PI_VIEWWEEKLY . "</option>\n";
$type_options .= "<option value='daily'>" . _AM_APCAL_PI_VIEWDAILY . "</option>\n";
// blocks - minicalex (mcx . $bid)
foreach ($mcx_blocks as $bid => $title) {
    $type_options .= "<option value='mcx{$bid}'>" . $myts->htmlSpecialChars($title) . "</option>\n";
}
$type_options4new = "<option value=''>----</option>\n<option value='all'>" . _ALL . "</option>\n" . $type_options;
$type_options     = "<option value=''>----</option>\n" . $type_options;

// dirname options
$dirname_options = "<option value=''>----</option>\n";
$dn_rs           = $GLOBALS['xoopsDB']->query('SELECT dirname FROM ' . $GLOBALS['xoopsDB']->prefix('modules'));
while (list($dirname) = $GLOBALS['xoopsDB']->fetchRow($dn_rs)) {
    $dirname_options .= "<option value='$dirname'>$dirname</option>\n";
}

// plugin file options
$file_options = "<option value=''>----</option>\n";
$plugins_dir  = $cal->base_path . '/' . $cal->plugins_path_monthly;
$dir_handle   = opendir($plugins_dir);
$valid_files  = array();
while (($file = readdir($dir_handle)) !== false) {
    if (is_file("$plugins_dir/$file")) {
        list($node, $ext) = explode('.', $file);
        if ($ext !== 'php') {
            continue;
        }
        $valid_files[] = $file;
    }
}
closedir($dir_handle);
sort($valid_files);
foreach ($valid_files as $file) {
    $file4disp    = htmlspecialchars($file, ENT_QUOTES);
    $file_options .= "<option value='$file4disp'>$file4disp</option>\n";
}

// dotgif options
$dotgif_options = '';
$dir_handle     = opendir($cal->images_path);
$valid_images   = array();
while (($file = readdir($dir_handle)) !== false) {
    if (is_file("$cal->images_path/$file")) {
        list($node, $ext) = explode('.', $file);
        if ($ext !== 'gif' && $ext !== 'png' && $ext !== 'jpg') {
            continue;
        }
        if (substr($node, 0, 3) !== 'dot') {
            continue;
        }
        $valid_images[] = $file;
    }
}
closedir($dir_handle);
sort($valid_images);
foreach ($valid_images as $file) {
    $file4disp      = htmlspecialchars($file, ENT_QUOTES);
    $dotgif_options .= "<option value='$file4disp'>$file4disp</option>\n";
}

// ordering the records of plugins
$columns = array(
    'pi_id',
    'pi_title',
    'pi_type',
    'pi_dirname',
    'pi_file',
    'pi_dotgif',
    'pi_options',
    'pi_enabled',
    'pi_weight'
);
$order   = in_array(@$_GET['order'], $columns) ? $_GET['order'] : 'pi_type';
// type limitation
if (!empty($limit_type)) {
    $whr_type = "pi_type='" . addslashes($limit_type) . "'";
} else {
    $whr_type = '1';
}

// dirname limitation
if (!empty($limit_dirname)) {
    $whr_dirname = "pi_dirname='" . addslashes($limit_dirname) . "'";
} else {
    $whr_dirname = '1';
}

// file limitation
if (!empty($limit_file)) {
    $whr_file = "pi_file='" . addslashes($limit_file) . "'";
} else {
    $whr_file = '1';
}

// select forms for extracting
echo "
    <form class='apcalForm' name='extraction' action='' method='get' style='margin:0px;'>
        <select name='limit_type'>" . make_selected($type_options, $limit_type) . "</select>
        <select name='limit_dirname'>" . make_selected($dirname_options, $limit_dirname) . "</select>
        <select name='limit_file'>" . make_selected($file_options, $limit_file) . "</select>
        <input type='submit' value='" . _AM_APCAL_BUTTON_EXTRACT . "' />
    </form>
    ";

// ¥×¥é¥°¥¤¥ó¥Ç¡¼¥¿¼èÆÀ
$prs = $GLOBALS['xoopsDB']->query("SELECT * FROM $cal->plugin_table WHERE ($whr_type) AND ($whr_dirname) AND ($whr_file) ORDER BY $order, pi_weight");

// TH Part
echo "
    <form class='apcalForm' id='MainForm' name='MainForm' action='?limit_type=$limit_type&amp;limit_dirname=$limit_dirname&amp;limit_file=$limit_file' method='post' style='margin:0px;'>
    " . $xoopsGTicket->getTicketHtml(__LINE__) . "
    <table width='100%' class='outer' cellpadding='4' cellspacing='1'>
      <tr valign='middle'>
        <th><a href='?order=pi_type' style='color:white;'>" . _AM_APCAL_PI_TH_TYPE . "</a></th>
        <th><a href='?order=pi_dirname' style='color:white;'>" . _AM_APCAL_PI_TH_DIRNAME . "</a></th>
        <th><a href='?order=pi_file' style='color:white;'>" . _AM_APCAL_PI_TH_FILE . "</a></th>
        <th><a href='?order=pi_title' style='color:white;'>" . _AM_APCAL_PI_TH_TITLE . "</a></th>
        <th><a href='?order=pi_dotgif' style='color:white;'>" . _AM_APCAL_PI_TH_DOTGIF . "</a></th>
        <th><a href='?order=pi_options' style='color:white;'>" . _AM_APCAL_PI_TH_OPTIONS . '</a></th>
        <th>&lt;-&gt;</th>
        <th>' . _AM_APCAL_PI_ENABLED . '</th>
        <th>' . _AM_APCAL_PI_DELETE . '</th>
      </tr>
    ';

// ¥ê¥¹¥È½ÐÎÏÉô
$oddeven = 'odd';
while ($plugin = $GLOBALS['xoopsDB']->fetchObject($prs)) {
    $oddeven = ($oddeven === 'odd' ? 'even' : 'odd');

    $pi_id           = (int)$plugin->pi_id;
    $enable_checked  = $plugin->pi_enabled ? 'checked' : '';
    $pi_title        = $myts->htmlSpecialChars($plugin->pi_title);
    $del_confirm     = 'confirm("' . sprintf(_AM_APCAL_FMT_CATDELCONFIRM, $pi_title) . '")';
    $pi_options4disp = htmlspecialchars($plugin->pi_options, ENT_QUOTES);
    echo "
      <tr>
        <td class='$oddeven'>
          <select name='pi_types[$pi_id]'>
            " . make_selected($type_options, $plugin->pi_type) . "
          </select>
        </td>
        <td class='$oddeven'>
          <select name='pi_dirnames[$pi_id]'>
            " . make_selected($dirname_options, $plugin->pi_dirname) . "
          </select>
        </td>
        <td class='$oddeven'>
          <select name='pi_files[$pi_id]'>
            " . make_selected($file_options, $plugin->pi_file) . "
          </select>
        </td>
        <td class='$oddeven'>
          <input type='text' name='pi_titles[$pi_id]' value='$pi_title' size='8' />
        </td>
        <td class='$oddeven'>
          <select name='pi_dotgifs[$pi_id]'>
            " . make_selected($dotgif_options, $plugin->pi_dotgif) . "
          </select>
        </td>
        <td class='$oddeven'>
          <input type='text' name='pi_options[$pi_id]' value='$pi_options4disp' size='10' />
        </td>
        <td class='$oddeven'>
          <input type='text' name='pi_weight[$pi_id]' value='$plugin->pi_weight' size='2' style='text-align:right;' />
        </td>
        <td class='$oddeven'>
          <input type='checkbox' value='1' name='pi_enableds[$pi_id]' $enable_checked />
        </td>
        <td class='$oddeven'>
          <input type='checkbox' value='1' name='deletes[$pi_id]' />
        </td>
      </tr>
        \n";
}

// ¿·µ¬ÆþÎÏÉô
echo "
      <tr>
        <td colspan='9'><br></td>
      </tr>
      <tr>
        <td class='$oddeven' style='background-color:#FFCCCC;'>
          <select name='pi_types[0]'>$type_options4new</select>
        </td>
        <td class='$oddeven' style='background-color:#FFCCCC;'>
          <select name='pi_dirnames[0]'>$dirname_options</select>
        </td>
        <td class='$oddeven' style='background-color:#FFCCCC;'>
          <select name='pi_files[0]'>
            " . make_selected($file_options, 'APCal.php') . "
          </select>
        </td>
        <td class='$oddeven' style='background-color:#FFCCCC;'>
          <input type='text' name='pi_titles[0]' value='' size='8' />
        </td>
        <td class='$oddeven' style='background-color:#FFCCCC;'>
          <select name='pi_dotgifs[0]'>
            " . make_selected($dotgif_options, 'dot8x8blue.gif') . "
          </select>
        </td>
        <td class='$oddeven' style='background-color:#FFCCCC;'>
          <input type='text' name='pi_options[0]' value='' size='10' />
        </td>
        <td class='$oddeven' style='background-color:#FFCCCC;'>
          <input type='text' name='pi_weight[0]' value='0' size='2' style='text-align:right;' />
        </td>
        <td class='$oddeven' colspan='2' style='background-color:#FFCCCC;'>
          " . _AM_APCAL_PI_NEW . "
        </td>
      </tr>
        \n";

// ¥Æ¡¼¥Ö¥ë¥Õ¥Ã¥¿Éô
echo "
      <tr>
        <td colspan='9' align='right' class='head'><input type='submit' name='update' value='" . _AM_APCAL_BTN_UPDATE . "' /></td>
      </tr>
      <tr>
        <td colspan='9' align='right' valign='bottom' height='50'>" . _AM_APCAL_COPYRIGHT . '</td>
      </tr>
    </table>
    </form>
    ';

xoops_cp_footer();

/**
 * @param $options
 * @param $current
 * @return mixed
 */
function make_selected($options, $current)
{
    return str_replace("value='{$current}'>", "value='{$current}' selected>", $options);
}


1		<?php
2		/*
3		* You may not change or alter any portion of this comment or credits
4		* of supporting developers from this source code or any supporting source code
5		* which is considered copyrighted (c) material of the original comment or credit authors.
6		*
7		* This program is distributed in the hope that it will be useful,
8		* but WITHOUT ANY WARRANTY; without even the implied warranty of
9		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
10		*/
11
12		/**
13		* @copyright {@link http://xoops.org/ XOOPS Project}
14		* @license {@link http://www.fsf.org/copyleft/gpl.html GNU public license}
15		* @package
16		* @since
17		* @author XOOPS Development Team,
18		* @author GIJ=CHECKMATE (PEAK Corp. http://www.peak.ne.jp/)
19		*/
20
21		require_once __DIR__ . '/../../../include/cp_header.php';
22		require_once __DIR__ . '/../class/APCal.php';
23		require_once __DIR__ . '/../class/APCal_xoops.php';
24
25		// for "Duplicatable"
26		$moduleDirName = basename(dirname(__DIR__));
27		if (!preg_match('/^(\D+)(\d*)$/', $moduleDirName, $regs)) {
28		echo('invalid dirname: ' . htmlspecialchars($moduleDirName));
29		}
30		$mydirnumber = $regs[2] === '' ? '' : (int)$regs[2];
31
32		require_once XOOPS_ROOT_PATH . "/modules/$moduleDirName/include/gtickets.php";
33
34		// fetch & sanitize from POST & GET
35		$action = empty($_POST['action']) ? '' : preg_replace('/[^a-zA-Z0-9_-]/', '', $_POST['type']);
36		$type = empty($_GET['type']) ? 'monthly' : preg_replace('/[^a-zA-Z0-9_-]/', '', $_GET['type']);
37
38		$limit_type = preg_replace('/([^0-9A-Za-z_.-]+)/', '', @$_GET['limit_type']);
39		$limit_dirname = preg_replace('/([^0-9A-Za-z_.-]+)/', '', @$_GET['limit_dirname']);
40		$limit_file = preg_replace('/([^0-9A-Za-z_.-]+)/', '', @$_GET['limit_file']);
41
42		// connection to MySQL
43		$conn = $GLOBALS['xoopsDB']->conn;
44
45		// setting physical & virtual paths
46		$mod_path = XOOPS_ROOT_PATH . "/modules/$moduleDirName";
47		$mod_url = XOOPS_URL . "/modules/$moduleDirName";
48
49		// creating an instance of APCal
50		$cal = new APCal_xoops('', $xoopsConfig['language'], true);
51
52		// setting properties of APCal
53		$cal->conn = $conn;
54		include __DIR__ . '/../include/read_configs.php';
55		$cal->base_url = $mod_url;
56		$cal->base_path = $mod_path;
57		$cal->images_url = "$mod_url/assets/images/$skin_folder";
58		$cal->images_path = "$mod_path/assets/images/$skin_folder";
59
60		// XOOPS´ØÏ¢¤Î½é´ü²½
61		$myts = MyTextSanitizer::getInstance();
62
63		// get block instances of minicalex
64		$mcx_blocks = array();
65		if (substr(XOOPS_VERSION, 6, 3) > 2.0) {
66		// block instance of XOOPS 2.1/2.2
67		$mcx_rs = $GLOBALS['xoopsDB']->query('SELECT i.instanceid,i.title FROM '
68		. $GLOBALS['xoopsDB']->prefix('block_instance')
69		. ' i LEFT JOIN '
70		. $GLOBALS['xoopsDB']->prefix('newblocks')
71		. " b ON i.bid=b.bid WHERE b.mid='"
72		. $xoopsModule->getVar('mid')
73		. "' AND b.show_func='apcal_minical_ex_show'");
74		} else {
75		// newblocks of XOOPS 2.0.x
76		$mcx_rs = $GLOBALS['xoopsDB']->query('SELECT bid,title FROM '
77		. $GLOBALS['xoopsDB']->prefix('newblocks')
78		. " WHERE mid='"
79		. $xoopsModule->getVar('mid')
80		. "' AND show_func='apcal_minical_ex_show'");
81		}
82		while (list($bid, $title) = $GLOBALS['xoopsDB']->fetchRow($mcx_rs)) {
83		$mcx_blocks[$bid] = $title;
84		}
85
86		// ¥Ç¡¼¥¿¥Ù¡¼¥¹¹¹¿·¤Ê¤É¤¬¤«¤é¤à½èÍý
87		if (!empty($_POST['update'])) {
88
89		// Ticket Check
90		if (!$xoopsGTicket->check()) {
91		redirect_header(XOOPS_URL . '/', 3, $xoopsGTicket->getErrors());
92		}
93
94		// new
95		if (!empty($_POST['pi_types'][0])) {
96		if ($_POST['pi_types'][0] === 'all') {
97		$types = array('monthly', 'weekly', 'daily');
98		foreach ($mcx_blocks as $bid => $title) {
99		$types[] = "mcx{$bid}";
100		}
101		} else {
102		$types = array(addslashes($_POST['pi_types'][0]));
103		}
104
105		$pi_options4sql = addslashes($_POST['pi_options'][0]);
106		$pi_weight4sql = (int)$_POST['pi_weight'][0];
107		$pi_title4sql = addslashes($_POST['pi_titles'][0]);
108		$pi_dirname4sql = addslashes($_POST['pi_dirnames'][0]);
109		$pi_file4sql = addslashes($_POST['pi_files'][0]);
110		$pi_dotgif4sql = addslashes($_POST['pi_dotgifs'][0]);
111
112		foreach ($types as $type) {
113		$type4sql = addslashes($type);
114	View Code Duplication	if (!$GLOBALS['xoopsDB']->query("INSERT INTO $cal->plugin_table SET pi_type='$type4sql', pi_options='$pi_options4sql', pi_weight='$pi_weight4sql', pi_title='$pi_title4sql', pi_dirname='$pi_dirname4sql', pi_file='$pi_file4sql', pi_dotgif='$pi_dotgif4sql', pi_enabled='1'",
115		$conn)
116		) {
117		die($GLOBALS['xoopsDB']->error());
118		}
119		}
120		}
121
122		// ¥Ð¥Ã¥Á¥¢¥Ã¥×¥Ç¡¼¥È
123		foreach (array_keys($_POST['pi_titles']) as $pi_id) {
124		if ($pi_id <= 0) {
125		continue;
126		}
127		if (!empty($_POST['deletes'][$pi_id])) {
128		if (!$GLOBALS['xoopsDB']->query("DELETE FROM $cal->plugin_table WHERE pi_id=$pi_id")) {
129		die($GLOBALS['xoopsDB']->error());
130		}
131		} else {
132		$pi_type4sql = addslashes($_POST['pi_types'][$pi_id]);
133		$pi_options4sql = addslashes($_POST['pi_options'][$pi_id]);
134		$pi_weight4sql = (int)$_POST['pi_weight'][$pi_id];
135		$pi_title4sql = addslashes($_POST['pi_titles'][$pi_id]);
136		$pi_title4sql = addslashes($_POST['pi_titles'][$pi_id]);
137		$pi_dirname4sql = addslashes($_POST['pi_dirnames'][$pi_id]);
138		$pi_file4sql = addslashes($_POST['pi_files'][$pi_id]);
139		$pi_dotgif4sql = addslashes($_POST['pi_dotgifs'][$pi_id]);
140		$pi_enabled4sql = !empty($_POST['pi_enableds'][$pi_id]) ? 1 : 0;
141
142	View Code Duplication	if (!$GLOBALS['xoopsDB']->query("UPDATE $cal->plugin_table SET pi_type='$pi_type4sql', pi_options='$pi_options4sql', pi_weight='$pi_weight4sql', pi_title='$pi_title4sql', pi_dirname='$pi_dirname4sql', pi_file='$pi_file4sql', pi_dotgif='$pi_dotgif4sql', pi_enabled='$pi_enabled4sql' WHERE pi_id=$pi_id",
143		$conn)
144		) {
145		die($GLOBALS['xoopsDB']->error());
146		}
147		}
148		}
149
150		// remove cache of APCal minical_ex
151		if ($handler = opendir(XOOPS_CACHE_PATH . '/')) {
152		while (($file = readdir($handler)) !== false) {
153		if (substr($file, 0, 16) === 'APCal_minical_ex') {
154		@unlink(XOOPS_CACHE_PATH . '/' . $file);
		0 ignored issues – show Security Best Practice introduced 2017-03-23 08:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
155		}
156		}
157		}
158
159		$mes = urlencode(sprintf(_AM_APCAL_PI_UPDATED));
160		$redirect_str4header = strtr("Location: $cal->connection://{$_SERVER['HTTP_HOST']}{$_SERVER['PHP_SELF']}?mes=$mes&limit_type=$limit_type&limit_dirname=$limit_dirname&limit_file=$limit_file",
161		"\r\n\0", ' ');
162
163		header($redirect_str4header);
164		exit;
165		}
166
167		// ¥á¥¤¥ó½ÐÎÏÉô
168		xoops_cp_header();
169
170		echo '<h4>' . _MI_APCAL_ADMENU_PLUGINS . "</h4>\n";
171
172	View Code Duplication	if (!empty($_GET['mes'])) {
173		echo "<p><font color='blue'>" . htmlspecialchars($_GET['mes'], ENT_QUOTES) . '</font></p>';
174		}
175
176		// mains (monthly, weekly, daily)
177		$type_options = "<option value='monthly'>" . _AM_APCAL_PI_VIEWMONTHLY . "</option>\n";
178		$type_options .= "<option value='weekly'>" . _AM_APCAL_PI_VIEWWEEKLY . "</option>\n";
179		$type_options .= "<option value='daily'>" . _AM_APCAL_PI_VIEWDAILY . "</option>\n";
180		// blocks - minicalex (mcx . $bid)
181		foreach ($mcx_blocks as $bid => $title) {
182		$type_options .= "<option value='mcx{$bid}'>" . $myts->htmlSpecialChars($title) . "</option>\n";
183		}
184		$type_options4new = "<option value=''>----</option>\n<option value='all'>" . _ALL . "</option>\n" . $type_options;
185		$type_options = "<option value=''>----</option>\n" . $type_options;
186
187		// dirname options
188		$dirname_options = "<option value=''>----</option>\n";
189		$dn_rs = $GLOBALS['xoopsDB']->query('SELECT dirname FROM ' . $GLOBALS['xoopsDB']->prefix('modules'));
190		while (list($dirname) = $GLOBALS['xoopsDB']->fetchRow($dn_rs)) {
191		$dirname_options .= "<option value='$dirname'>$dirname</option>\n";
192		}
193
194		// plugin file options
195		$file_options = "<option value=''>----</option>\n";
196		$plugins_dir = $cal->base_path . '/' . $cal->plugins_path_monthly;
197		$dir_handle = opendir($plugins_dir);
198		$valid_files = array();
199		while (($file = readdir($dir_handle)) !== false) {
200		if (is_file("$plugins_dir/$file")) {
201		list($node, $ext) = explode('.', $file);
202		if ($ext !== 'php') {
203		continue;
204		}
205		$valid_files[] = $file;
206		}
207		}
208		closedir($dir_handle);
209		sort($valid_files);
210		foreach ($valid_files as $file) {
211		$file4disp = htmlspecialchars($file, ENT_QUOTES);
212		$file_options .= "<option value='$file4disp'>$file4disp</option>\n";
213		}
214
215		// dotgif options
216		$dotgif_options = '';
217		$dir_handle = opendir($cal->images_path);
218		$valid_images = array();
219		while (($file = readdir($dir_handle)) !== false) {
220		if (is_file("$cal->images_path/$file")) {
221		list($node, $ext) = explode('.', $file);
222		if ($ext !== 'gif' && $ext !== 'png' && $ext !== 'jpg') {
223		continue;
224		}
225		if (substr($node, 0, 3) !== 'dot') {
226		continue;
227		}
228		$valid_images[] = $file;
229		}
230		}
231		closedir($dir_handle);
232		sort($valid_images);
233		foreach ($valid_images as $file) {
234		$file4disp = htmlspecialchars($file, ENT_QUOTES);
235		$dotgif_options .= "<option value='$file4disp'>$file4disp</option>\n";
236		}
237
238		// ordering the records of plugins
239		$columns = array(
240		'pi_id',
241		'pi_title',
242		'pi_type',
243		'pi_dirname',
244		'pi_file',
245		'pi_dotgif',
246		'pi_options',
247		'pi_enabled',
248		'pi_weight'
249		);
250		$order = in_array(@$_GET['order'], $columns) ? $_GET['order'] : 'pi_type';
251		// type limitation
252		if (!empty($limit_type)) {
253		$whr_type = "pi_type='" . addslashes($limit_type) . "'";
254		} else {
255		$whr_type = '1';
256		}
257
258		// dirname limitation
259		if (!empty($limit_dirname)) {
260		$whr_dirname = "pi_dirname='" . addslashes($limit_dirname) . "'";
261		} else {
262		$whr_dirname = '1';
263		}
264
265		// file limitation
266		if (!empty($limit_file)) {
267		$whr_file = "pi_file='" . addslashes($limit_file) . "'";
268		} else {
269		$whr_file = '1';
270		}
271
272		// select forms for extracting
273		echo "
274		<form class='apcalForm' name='extraction' action='' method='get' style='margin:0px;'>
275		<select name='limit_type'>" . make_selected($type_options, $limit_type) . "</select>
276		<select name='limit_dirname'>" . make_selected($dirname_options, $limit_dirname) . "</select>
277		<select name='limit_file'>" . make_selected($file_options, $limit_file) . "</select>
278		<input type='submit' value='" . _AM_APCAL_BUTTON_EXTRACT . "' />
279		</form>
280		";
281
282		// ¥×¥é¥°¥¤¥ó¥Ç¡¼¥¿¼èÆÀ
283		$prs = $GLOBALS['xoopsDB']->query("SELECT * FROM $cal->plugin_table WHERE ($whr_type) AND ($whr_dirname) AND ($whr_file) ORDER BY $order, pi_weight");
284
285		// TH Part
286		echo "
287		<form class='apcalForm' id='MainForm' name='MainForm' action='?limit_type=$limit_type&limit_dirname=$limit_dirname&limit_file=$limit_file' method='post' style='margin:0px;'>
288		" . $xoopsGTicket->getTicketHtml(__LINE__) . "
289		<table width='100%' class='outer' cellpadding='4' cellspacing='1'>
290		<tr valign='middle'>
291		<th><a href='?order=pi_type' style='color:white;'>" . _AM_APCAL_PI_TH_TYPE . "</a></th>
292		<th><a href='?order=pi_dirname' style='color:white;'>" . _AM_APCAL_PI_TH_DIRNAME . "</a></th>
293		<th><a href='?order=pi_file' style='color:white;'>" . _AM_APCAL_PI_TH_FILE . "</a></th>
294		<th><a href='?order=pi_title' style='color:white;'>" . _AM_APCAL_PI_TH_TITLE . "</a></th>
295		<th><a href='?order=pi_dotgif' style='color:white;'>" . _AM_APCAL_PI_TH_DOTGIF . "</a></th>
296		<th><a href='?order=pi_options' style='color:white;'>" . _AM_APCAL_PI_TH_OPTIONS . '</a></th>
297		<th><-></th>
298		<th>' . _AM_APCAL_PI_ENABLED . '</th>
299		<th>' . _AM_APCAL_PI_DELETE . '</th>
300		</tr>
301		';
302
303		// ¥ê¥¹¥È½ÐÎÏÉô
304		$oddeven = 'odd';
305		while ($plugin = $GLOBALS['xoopsDB']->fetchObject($prs)) {
306		$oddeven = ($oddeven === 'odd' ? 'even' : 'odd');
307
308		$pi_id = (int)$plugin->pi_id;
309		$enable_checked = $plugin->pi_enabled ? 'checked' : '';
310		$pi_title = $myts->htmlSpecialChars($plugin->pi_title);
311		$del_confirm = 'confirm("' . sprintf(_AM_APCAL_FMT_CATDELCONFIRM, $pi_title) . '")';
312		$pi_options4disp = htmlspecialchars($plugin->pi_options, ENT_QUOTES);
313		echo "
314		<tr>
315		<td class='$oddeven'>
316		<select name='pi_types[$pi_id]'>
317		" . make_selected($type_options, $plugin->pi_type) . "
318		</select>
319		</td>
320		<td class='$oddeven'>
321		<select name='pi_dirnames[$pi_id]'>
322		" . make_selected($dirname_options, $plugin->pi_dirname) . "
323		</select>
324		</td>
325		<td class='$oddeven'>
326		<select name='pi_files[$pi_id]'>
327		" . make_selected($file_options, $plugin->pi_file) . "
328		</select>
329		</td>
330		<td class='$oddeven'>
331		<input type='text' name='pi_titles[$pi_id]' value='$pi_title' size='8' />
332		</td>
333		<td class='$oddeven'>
334		<select name='pi_dotgifs[$pi_id]'>
335		" . make_selected($dotgif_options, $plugin->pi_dotgif) . "
336		</select>
337		</td>
338		<td class='$oddeven'>
339		<input type='text' name='pi_options[$pi_id]' value='$pi_options4disp' size='10' />
340		</td>
341		<td class='$oddeven'>
342		<input type='text' name='pi_weight[$pi_id]' value='$plugin->pi_weight' size='2' style='text-align:right;' />
343		</td>
344		<td class='$oddeven'>
345		<input type='checkbox' value='1' name='pi_enableds[$pi_id]' $enable_checked />
346		</td>
347		<td class='$oddeven'>
348		<input type='checkbox' value='1' name='deletes[$pi_id]' />
349		</td>
350		</tr>
351		\n";
352		}
353
354		// ¿·µ¬ÆþÎÏÉô
355		echo "
356		<tr>
357		<td colspan='9'><br></td>
358		</tr>
359		<tr>
360		<td class='$oddeven' style='background-color:#FFCCCC;'>
361		<select name='pi_types[0]'>$type_options4new</select>
362		</td>
363		<td class='$oddeven' style='background-color:#FFCCCC;'>
364		<select name='pi_dirnames[0]'>$dirname_options</select>
365		</td>
366		<td class='$oddeven' style='background-color:#FFCCCC;'>
367		<select name='pi_files[0]'>
368		" . make_selected($file_options, 'APCal.php') . "
369		</select>
370		</td>
371		<td class='$oddeven' style='background-color:#FFCCCC;'>
372		<input type='text' name='pi_titles[0]' value='' size='8' />
373		</td>
374		<td class='$oddeven' style='background-color:#FFCCCC;'>
375		<select name='pi_dotgifs[0]'>
376		" . make_selected($dotgif_options, 'dot8x8blue.gif') . "
377		</select>
378		</td>
379		<td class='$oddeven' style='background-color:#FFCCCC;'>
380		<input type='text' name='pi_options[0]' value='' size='10' />
381		</td>
382		<td class='$oddeven' style='background-color:#FFCCCC;'>
383		<input type='text' name='pi_weight[0]' value='0' size='2' style='text-align:right;' />
384		</td>
385		<td class='$oddeven' colspan='2' style='background-color:#FFCCCC;'>
386		" . _AM_APCAL_PI_NEW . "
387		</td>
388		</tr>
389		\n";
390
391		// ¥Æ¡¼¥Ö¥ë¥Õ¥Ã¥¿Éô
392		echo "
393		<tr>
394		<td colspan='9' align='right' class='head'><input type='submit' name='update' value='" . _AM_APCAL_BTN_UPDATE . "' /></td>
395		</tr>
396		<tr>
397		<td colspan='9' align='right' valign='bottom' height='50'>" . _AM_APCAL_COPYRIGHT . '</td>
398		</tr>
399		</table>
400		</form>
401		';
402
403		xoops_cp_footer();
404
405		/**
406		* @param $options
407		* @param $current
408		* @return mixed
409		*/
410		function make_selected($options, $current)
411		{
412		return str_replace("value='{$current}'>", "value='{$current}' selected>", $options);
413		}
414

XoopsModules25x / apcal

Issues (1210)

Security Analysis not enabled

admin/pluginsmanager.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like