From 37b29231e47a0c4458dc1c15d98588f16f07e1e2 Mon Sep 17 00:00:00 2001 From: Marius Cramer <m.cramer@pixcept.de> Date: Thu, 06 Aug 2015 03:18:44 -0400 Subject: [PATCH] - don't set password via remoting if field is empty --- interface/web/sites/shell_user_edit.php | 18 ++++++++---------- 1 files changed, 8 insertions(+), 10 deletions(-) diff --git a/interface/web/sites/shell_user_edit.php b/interface/web/sites/shell_user_edit.php index 8de6be7..77c4509 100644 --- a/interface/web/sites/shell_user_edit.php +++ b/interface/web/sites/shell_user_edit.php @@ -103,14 +103,12 @@ global $app, $conf; // Get the record of the parent domain - //$parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]) . " AND ".$app->tform->getAuthSQL('r')); - //if(!$parent_domain || $parent_domain['domain_id'] != @$this->dataRecord['parent_domain_id']) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm"); if(isset($this->dataRecord["parent_domain_id"])) { - $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]) . " AND ".$app->tform->getAuthSQL('r')); + $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ? AND ".$app->tform->getAuthSQL('r'), @$this->dataRecord["parent_domain_id"]); if(!$parent_domain || $parent_domain['domain_id'] != @$this->dataRecord['parent_domain_id']) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm"); } else { $tmp = $app->tform->getDataRecord($this->id); - $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval($tmp["parent_domain_id"]) . " AND ".$app->tform->getAuthSQL('r')); + $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ? AND ".$app->tform->getAuthSQL('r'), $tmp["parent_domain_id"]); if(!$parent_domain) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm"); unset($tmp); } @@ -163,12 +161,12 @@ function onAfterInsert() { global $app, $conf; - $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$app->functions->intval($this->dataRecord["parent_domain_id"])); + $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $this->dataRecord["parent_domain_id"]); $server_id = $app->functions->intval($web["server_id"]); - $dir = $app->db->quote($web["document_root"]); - $uid = $app->db->quote($web["system_user"]); - $gid = $app->db->quote($web["system_group"]); + $dir = $web["document_root"]; + $uid = $web["system_user"]; + $gid = $web["system_group"]; // Check system user and group if($app->functions->is_allowed_user($uid) == false || $app->functions->is_allowed_group($gid) == false) { @@ -178,8 +176,8 @@ // The FTP user shall be owned by the same group then the website $sys_groupid = $app->functions->intval($web['sys_groupid']); - $sql = "UPDATE shell_user SET server_id = $server_id, dir = '$dir', puser = '$uid', pgroup = '$gid', sys_groupid = '$sys_groupid' WHERE shell_user_id = ".$this->id; - $app->db->query($sql); + $sql = "UPDATE shell_user SET server_id = ?, dir = ?, puser = ?, pgroup = ?, sys_groupid = ? WHERE shell_user_id = ?"; + $app->db->query($sql, $server_id, $dir, $uid, $gid, $sys_groupid, $this->id); } -- Gitblit v1.9.1