Changeset 6527
- Timestamp:
- 08/31/08 20:20:32 (5 years ago)
- Files:
-
- modules/branches/2.5/announcement/functions.inc.php (modified) (4 diffs)
- modules/branches/2.5/core/functions.inc.php (modified) (9 diffs)
- modules/branches/2.5/core/install.php (modified) (1 diff)
- modules/branches/2.5/daynight/functions.inc.php (modified) (2 diffs)
- modules/branches/2.5/disa/functions.inc.php (modified) (4 diffs)
- modules/branches/2.5/languages/functions.inc.php (modified) (4 diffs)
- modules/branches/2.5/miscapps/functions.inc.php (modified) (4 diffs)
- modules/branches/2.5/paging/functions.inc.php (modified) (5 diffs)
- modules/branches/2.5/queueprio/functions.inc.php (modified) (4 diffs)
- modules/branches/2.5/queues/functions.inc.php (modified) (2 diffs)
- modules/branches/2.5/recordings/functions.inc.php (modified) (3 diffs)
- modules/branches/2.5/timeconditions/functions.inc.php (modified) (1 diff)
- modules/branches/2.5/vmblast/functions.inc.php (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
modules/branches/2.5/announcement/functions.inc.php
r6128 r6527 130 130 function announcement_get($announcement_id) { 131 131 global $db; 132 $sql = "SELECT announcement_id, description, recording_id, allow_skip, post_dest, return_ivr, noanswer, repeat_msg FROM announcement WHERE announcement_id = '". addslashes($announcement_id)."'";132 $sql = "SELECT announcement_id, description, recording_id, allow_skip, post_dest, return_ivr, noanswer, repeat_msg FROM announcement WHERE announcement_id = '".$db->escapeSimple($announcement_id)."'"; 133 133 $row = $db->getRow($sql,DB_FETCHMODE_ASSOC); 134 134 if(DB::IsError($row)) { … … 148 148 global $db; 149 149 $sql = "INSERT INTO announcement (description, recording_id, allow_skip, post_dest, return_ivr, noanswer, repeat_msg) VALUES (". 150 "'". addslashes($description)."', ".150 "'".$db->escapeSimple($description)."', ". 151 151 "'".$recording_id."', ". 152 152 "'".($allow_skip ? 1 : 0)."', ". 153 "'". addslashes($post_dest)."', ".153 "'".$db->escapeSimple($post_dest)."', ". 154 154 "'".($return_ivr ? 1 : 0)."', ". 155 155 "'".($noanswer ? 1 : 0)."', ". 156 "'". addslashes($repeat_msg)."')";156 "'".$db->escapeSimple($repeat_msg)."')"; 157 157 $result = $db->query($sql); 158 158 if(DB::IsError($result)) { … … 163 163 function announcement_delete($announcement_id) { 164 164 global $db; 165 $sql = "DELETE FROM announcement WHERE announcement_id = ". addslashes($announcement_id);165 $sql = "DELETE FROM announcement WHERE announcement_id = ".$db->escapeSimple($announcement_id); 166 166 $result = $db->query($sql); 167 167 if(DB::IsError($result)) { … … 174 174 global $db; 175 175 $sql = "UPDATE announcement SET ". 176 "description = '". addslashes($description)."', ".176 "description = '".$db->escapeSimple($description)."', ". 177 177 "recording_id = '".$recording_id."', ". 178 178 "allow_skip = '".($allow_skip ? 1 : 0)."', ". 179 "post_dest = '". addslashes($post_dest)."', ".179 "post_dest = '".$db->escapeSimple($post_dest)."', ". 180 180 "return_ivr = '".($return_ivr ? 1 : 0)."', ". 181 181 "noanswer = '".($noanswer ? 1 : 0)."', ". 182 "repeat_msg = '". addslashes($repeat_msg)."' ".183 "WHERE announcement_id = ". addslashes($announcement_id);182 "repeat_msg = '".$db->escapeSimple($repeat_msg)."' ". 183 "WHERE announcement_id = ".$db->escapeSimple($announcement_id); 184 184 $result = $db->query($sql); 185 185 if(DB::IsError($result)) { modules/branches/2.5/core/functions.inc.php
r6521 r6527 1828 1828 1829 1829 function core_did_edit($old_extension,$old_cidnum, $incoming){ 1830 1831 $old_extension = addslashes(trim($old_extension)); 1832 $old_cidnum = addslashes(trim($old_cidnum)); 1830 global $db; 1831 1832 $old_extension = $db->escapeSimple(trim($old_extension)); 1833 $old_cidnum = $db->escapeSimple(trim($old_cidnum)); 1833 1834 1834 1835 $incoming['extension'] = trim($incoming['extension']); 1835 1836 $incoming['cidnum'] = trim($incoming['cidnum']); 1836 1837 1837 $extension = addslashes($incoming['extension']);1838 $cidnum = addslashes($incoming['cidnum']);1838 $extension = $db->escapeSimple($incoming['extension']); 1839 $cidnum = $db->escapeSimple($incoming['cidnum']); 1839 1840 1840 1841 // if did or cid changed, then check to make sure that this pair is not already being used. … … 1855 1856 1856 1857 function core_did_add($incoming,$target=false){ 1857 foreach ($incoming as $key => $val) { ${$key} = addslashes($val); } // create variables from request 1858 global $db; 1859 foreach ($incoming as $key => $val) { ${$key} = $db->escapeSimple($val); } // create variables from request 1858 1860 1859 1861 // Check to make sure the did is not being used elsewhere … … 1928 1930 global $currentFile; 1929 1931 global $astman; 1932 global $db; 1930 1933 1931 1934 $display = isset($_REQUEST['display'])?$_REQUEST['display']:''; … … 1967 1970 if(!get_magic_quotes_gpc()) { 1968 1971 if(!empty($emergency_cid)) 1969 $emergency_cid = addslashes($emergency_cid);1972 $emergency_cid = $db->escapeSimple($emergency_cid); 1970 1973 if(!empty($description)) 1971 $description = addslashes($description);1974 $description = $db->escapeSimple($description); 1972 1975 } 1973 1976 … … 2170 2173 global $amp_conf; 2171 2174 global $astman; 2175 global $db; 2172 2176 2173 2177 $sql = "SELECT * FROM users"; … … 2182 2186 $astman->database_put("AMPUSER",$extension."/noanswer",$noanswer); 2183 2187 $astman->database_put("AMPUSER",$extension."/recording",$recording); 2184 $astman->database_put("AMPUSER",$extension."/outboundcid","\"". addslashes($outboundcid)."\"");2185 $astman->database_put("AMPUSER",$extension."/cidname","\"". addslashes($name)."\"");2188 $astman->database_put("AMPUSER",$extension."/outboundcid","\"".$db->escapeSimple($outboundcid)."\""); 2189 $astman->database_put("AMPUSER",$extension."/cidname","\"".$db->escapeSimple($name)."\""); 2186 2190 $astman->database_put("AMPUSER",$extension."/voicemail","\"".$voicemail."\""); 2187 2191 } … … 2596 2600 } 2597 2601 2598 $newdid_name = isset($newdid_name) ? addslashes($newdid_name) : '';2602 $newdid_name = isset($newdid_name) ? $db->escapeSimple($newdid_name) : ''; 2599 2603 $newdid = isset($newdid) ? $newdid : ''; 2600 2604 $newdid = preg_replace("/[^0-9._XxNnZz\[\]\-\+]/" ,"", trim($newdid)); … … 2634 2638 //escape quotes and any other bad chars: 2635 2639 if(!get_magic_quotes_gpc()) { 2636 $outboundcid = addslashes($outboundcid);2637 $name = addslashes($name);2640 $outboundcid = $db->escapeSimple($outboundcid); 2641 $name = $db->escapeSimple($name); 2638 2642 } 2639 2643 … … 2845 2849 // clean and check the did to make sure it is not being used by another extension or in did routing 2846 2850 // 2847 $newdid_name = isset($newdid_name) ? addslashes($newdid_name) : '';2851 $newdid_name = isset($newdid_name) ? $db->escapeSimple($newdid_name) : ''; 2848 2852 $newdid = isset($vars['newdid']) ? $vars['newdid'] : ''; 2849 2853 $newdid = preg_replace("/[^0-9._XxNnZz\[\]\-\+]/" ,"", trim($newdid)); modules/branches/2.5/core/install.php
r6521 r6527 17 17 18 18 foreach ($incoming as $key => $val) { 19 ${$key} = addslashes($val);19 ${$key} = $db->escapeSimple($val); 20 20 } 21 21 modules/branches/2.5/daynight/functions.inc.php
r6300 r6527 264 264 265 265 function daynight_edit($post, $id=0) { 266 global $db; 266 267 267 268 // TODO: Probably have separate add and edit (and change in page.daynight.php also) … … 282 283 } 283 284 $fc_description = isset($post['fc_description']) ? trim($post['fc_description']) : ""; 284 sql("INSERT INTO daynight (ext, dmode, dest) VALUES ('$id', 'fc_description', '". addslashes($fc_description)."')");285 sql("INSERT INTO daynight (ext, dmode, dest) VALUES ('$id', 'fc_description', '".$db->escapeSimple($fc_description)."')"); 285 286 286 287 $dn = new dayNightObject($id); modules/branches/2.5/disa/functions.inc.php
r6428 r6527 170 170 171 171 function disa_add($post) { 172 global $db; 172 173 if(!disa_chk($post)) { 173 174 return null; … … 179 180 $displayname = "unnamed"; 180 181 } 181 $results = sql("INSERT INTO disa (displayname,pin,cid,context,resptimeout,digittimeout,needconf,hangup) values ('". addslashes($displayname)."','".addslashes($pin)."','".addslashes($cid)."','".addslashes($context)."', '".addslashes($resptimeout)."', '".addslashes($digittimeout)."', '$needconf', '$hangup')");182 $results = sql("INSERT INTO disa (displayname,pin,cid,context,resptimeout,digittimeout,needconf,hangup) values ('".$db->escapeSimple($displayname)."','".$db->escapeSimple($pin)."','".$db->escapeSimple($cid)."','".$db->escapeSimple($context)."', '".$db->escapeSimple($resptimeout)."', '".$db->escapeSimple($digittimeout)."', '$needconf', '$hangup')"); 182 183 } 183 184 … … 188 189 189 190 function disa_edit($id, $post) { 191 global $db; 190 192 if (!disa_chk($post)) { 191 193 return null; … … 198 200 $displayname = "unnamed"; 199 201 } 200 $results = sql("UPDATE disa set displayname = '". addslashes($displayname)."', pin = '".addslashes($pin)."', cid = '".addslashes($cid)."', context = '".addslashes($context)."', resptimeout = '".addslashes($resptimeout)."', digittimeout = '".addslashes($digittimeout)."', needconf = \"$needconf\", hangup = \"$hangup\" where disa_id = '$id'");202 $results = sql("UPDATE disa set displayname = '".$db->escapeSimple($displayname)."', pin = '".$db->escapeSimple($pin)."', cid = '".$db->escapeSimple($cid)."', context = '".$db->escapeSimple($context)."', resptimeout = '".$db->escapeSimple($resptimeout)."', digittimeout = '".$db->escapeSimple($digittimeout)."', needconf = \"$needconf\", hangup = \"$hangup\" where disa_id = '$id'"); 201 203 } 202 204 ?> modules/branches/2.5/languages/functions.inc.php
r6485 r6527 83 83 function languages_get($language_id) { 84 84 global $db; 85 $sql = "SELECT language_id, description, lang_code, dest FROM languages WHERE language_id = ". addslashes($language_id);85 $sql = "SELECT language_id, description, lang_code, dest FROM languages WHERE language_id = ".$db->escapeSimple($language_id); 86 86 $row = $db->getRow($sql, DB_FETCHMODE_ASSOC); 87 87 if(DB::IsError($row)) { … … 95 95 global $db; 96 96 $sql = "INSERT INTO languages (description, lang_code, dest) VALUES (". 97 "'". addslashes($description)."', ".98 "'". addslashes($lang_code)."', ".99 "'". addslashes($dest)."')";97 "'".$db->escapeSimple($description)."', ". 98 "'".$db->escapeSimple($lang_code)."', ". 99 "'".$db->escapeSimple($dest)."')"; 100 100 $result = $db->query($sql); 101 101 if(DB::IsError($result)) { … … 106 106 function languages_delete($language_id) { 107 107 global $db; 108 $sql = "DELETE FROM languages WHERE language_id = ". addslashes($language_id);108 $sql = "DELETE FROM languages WHERE language_id = ".$db->escapeSimple($language_id); 109 109 $result = $db->query($sql); 110 110 if(DB::IsError($result)) { … … 116 116 global $db; 117 117 $sql = "UPDATE languages SET ". 118 "description = '". addslashes($description)."', ".119 "lang_code = '". addslashes($lang_code)."', ".120 "dest = '". addslashes($dest)."' ".121 "WHERE language_id = ". addslashes($language_id);118 "description = '".$db->escapeSimple($description)."', ". 119 "lang_code = '".$db->escapeSimple($lang_code)."', ". 120 "dest = '".$db->escapeSimple($dest)."' ". 121 "WHERE language_id = ".$db->escapeSimple($language_id); 122 122 $result = $db->query($sql); 123 123 if(DB::IsError($result)) { modules/branches/2.5/miscapps/functions.inc.php
r5276 r6527 55 55 function miscapps_get($miscapps_id) { 56 56 global $db; 57 $sql = "SELECT miscapps_id, description, ext, dest FROM miscapps WHERE miscapps_id = ". addslashes($miscapps_id);57 $sql = "SELECT miscapps_id, description, ext, dest FROM miscapps WHERE miscapps_id = ".$db->escapeSimple($miscapps_id); 58 58 $row = $db->getRow($sql, DB_FETCHMODE_ASSOC); 59 59 if(DB::IsError($row)) { … … 72 72 global $db; 73 73 $sql = "INSERT INTO miscapps (description, ext, dest) VALUES (". 74 "'". addslashes($description)."', ".75 "'". addslashes($ext)."', ".76 "'". addslashes($dest)."')";74 "'".$db->escapeSimple($description)."', ". 75 "'".$db->escapeSimple($ext)."', ". 76 "'".$db->escapeSimple($dest)."')"; 77 77 $result = $db->query($sql); 78 78 if(DB::IsError($result)) { … … 93 93 function miscapps_delete($miscapps_id) { 94 94 global $db; 95 $sql = "DELETE FROM miscapps WHERE miscapps_id = ". addslashes($miscapps_id);95 $sql = "DELETE FROM miscapps WHERE miscapps_id = ".$db->escapeSimple($miscapps_id); 96 96 $result = $db->query($sql); 97 97 if(DB::IsError($result)) { … … 106 106 global $db; 107 107 $sql = "UPDATE miscapps SET ". 108 "description = '". addslashes($description)."', ".109 "ext = '". addslashes($ext)."', ".110 "dest = '". addslashes($dest)."' ".111 "WHERE miscapps_id = ". addslashes($miscapps_id);108 "description = '".$db->escapeSimple($description)."', ". 109 "ext = '".$db->escapeSimple($ext)."', ". 110 "dest = '".$db->escapeSimple($dest)."' ". 111 "WHERE miscapps_id = ".$db->escapeSimple($miscapps_id); 112 112 $result = $db->query($sql); 113 113 if(DB::IsError($result)) { modules/branches/2.5/paging/functions.inc.php
r6347 r6527 400 400 401 401 // Just in case someone's trying to be smart with a SQL injection. 402 $grp = addslashes($grp);402 $grp = $db->escapeSimple($grp); 403 403 404 404 $sql = "SELECT ext FROM paging_groups where page_number='$grp'"; … … 415 415 416 416 // Just in case someone's trying to be smart with a SQL injection. 417 $grp = addslashes($grp);417 $grp = $db->escapeSimple($grp); 418 418 419 419 $sql = "SELECT * FROM paging_config WHERE page_group='$grp'"; … … 436 436 437 437 // Just in case someone's trying to be smart with a SQL injection. 438 $xtn = addslashes($xtn);438 $xtn = $db->escapeSimple($xtn); 439 439 440 440 // Delete it if it's there. … … 480 480 } 481 481 foreach (array_keys($xtns) as $val) { 482 $val = addslashes(trim($xtns[$val]));482 $val = $db->escapeSimple(trim($xtns[$val])); 483 483 // Sanity check input. 484 484 … … 487 487 } 488 488 489 $description = addslashes(trim($description));489 $description = $db->escapeSimple(trim($description)); 490 490 $sql = "INSERT INTO paging_config(page_group, force_page, duplex, description) VALUES ('$xtn', '$force_page', '$duplex', '$description')"; 491 491 $db->query($sql); modules/branches/2.5/queueprio/functions.inc.php
r6485 r6527 68 68 function queueprio_get($queueprio_id) { 69 69 global $db; 70 $sql = "SELECT queueprio_id, description, queue_priority, dest FROM queueprio WHERE queueprio_id = ". addslashes($queueprio_id);70 $sql = "SELECT queueprio_id, description, queue_priority, dest FROM queueprio WHERE queueprio_id = ".$db->escapeSimple($queueprio_id); 71 71 $row = $db->getRow($sql, DB_FETCHMODE_ASSOC); 72 72 if(DB::IsError($row)) { … … 80 80 global $db; 81 81 $sql = "INSERT INTO queueprio (description, queue_priority, dest) VALUES (". 82 "'". addslashes($description)."', ".83 "'". addslashes($queue_priority)."', ".84 "'". addslashes($dest)."')";82 "'".$db->escapeSimple($description)."', ". 83 "'".$db->escapeSimple($queue_priority)."', ". 84 "'".$db->escapeSimple($dest)."')"; 85 85 $result = $db->query($sql); 86 86 if(DB::IsError($result)) { … … 91 91 function queueprio_delete($queueprio_id) { 92 92 global $db; 93 $sql = "DELETE FROM queueprio WHERE queueprio_id = ". addslashes($queueprio_id);93 $sql = "DELETE FROM queueprio WHERE queueprio_id = ".$db->escapeSimple($queueprio_id); 94 94 $result = $db->query($sql); 95 95 if(DB::IsError($result)) { … … 101 101 global $db; 102 102 $sql = "UPDATE queueprio SET ". 103 "description = '". addslashes($description)."', ".104 "queue_priority = '". addslashes($queue_priority)."', ".105 "dest = '". addslashes($dest)."' ".106 "WHERE queueprio_id = ". addslashes($queueprio_id);103 "description = '".$db->escapeSimple($description)."', ". 104 "queue_priority = '".$db->escapeSimple($queue_priority)."', ". 105 "dest = '".$db->escapeSimple($dest)."' ". 106 "WHERE queueprio_id = ".$db->escapeSimple($queueprio_id); 107 107 $result = $db->query($sql); 108 108 if(DB::IsError($result)) { modules/branches/2.5/queues/functions.inc.php
r6447 r6527 422 422 } 423 423 $extension = $account; 424 $descr = isset($name) ? addslashes($name):'';425 $grppre = isset($prefix) ? addslashes($prefix):'';426 $alertinfo = isset($alertinfo) ? addslashes($alertinfo):'';424 $descr = isset($name) ? $db->escapeSimple($name):''; 425 $grppre = isset($prefix) ? $db->escapeSimple($prefix):''; 426 $alertinfo = isset($alertinfo) ? $db->escapeSimple($alertinfo):''; 427 427 //$joinannounce_id = $joinannounce_id; 428 428 $ringing = isset($_REQUEST['rtone']) ? $_REQUEST['rtone']:''; … … 434 434 $cwignore = isset($cwignore) ? $cwignore:'0'; 435 435 $queuewait = isset($queuewait) ? $queuewait:'0'; 436 $qregex = isset($qregex) ? addslashes($qregex):'';436 $qregex = isset($qregex) ? $db->escapeSimple($qregex):''; 437 437 438 438 // Assumes it has just been deleted modules/branches/2.5/recordings/functions.inc.php
r6160 r6527 176 176 $fname = $filename; 177 177 } 178 $description = ($description != '') ? addslashes($description) : _("No long description available");179 $displayname = addslashes($displayname);178 $description = ($description != '') ? $db->escapeSimple($description) : _("No long description available"); 179 $displayname = $db->escapeSimple($displayname); 180 180 sql("INSERT INTO recordings (displayname, filename, description) VALUES ( '$displayname', '$fname', '$description')"); 181 181 … … 185 185 186 186 function recordings_update($id, $rname, $descr, $_REQUEST, $fcode=0, $fcode_pass='') { 187 global $db; 187 188 188 189 // Update the descriptive fields 189 190 $fcode_pass = preg_replace("/[^0-9*]/" ,"", trim($fcode_pass)); 190 $results = sql("UPDATE recordings SET displayname = '". addslashes($rname)."', description = '".addslashes($descr)."', fcode='$fcode', fcode_pass='".$fcode_pass."' WHERE id = '$id'");191 $results = sql("UPDATE recordings SET displayname = '".$db->escapeSimple($rname)."', description = '".$db->escapeSimple($descr)."', fcode='$fcode', fcode_pass='".$fcode_pass."' WHERE id = '$id'"); 191 192 192 193 // Build the file list from _REQUEST … … 295 296 296 297 function recordings_set_file($id, $filename) { 298 global $db; 297 299 // Strip off any dangling &'s on the end: 298 300 $filename = rtrim($filename, '&'); 299 $results = sql("UPDATE recordings SET filename = '". addslashes($filename)."' WHERE id = '$id'");301 $results = sql("UPDATE recordings SET filename = '".$db->escapeSimple($filename)."' WHERE id = '$id'"); 300 302 } 301 303 modules/branches/2.5/timeconditions/functions.inc.php
r6481 r6527 406 406 $times = isset($_REQUEST['times'])?$_REQUEST['times']:null; 407 407 408 //addslashes409 408 switch ($action) { 410 409 case 'add': modules/branches/2.5/vmblast/functions.inc.php
r6347 r6527 148 148 149 149 foreach ($xtns as $key => $value) { 150 $xtns[$key] = addslashes(trim($value));150 $xtns[$key] = $db->escapeSimple(trim($value)); 151 151 } 152 152 // Sanity check input.
