diff options
4 files changed, 117 insertions, 117 deletions
diff --git a/demos/quickstart/protected/pages/Advanced/Security.page b/demos/quickstart/protected/pages/Advanced/Security.page index a515bd0a..7aaab552 100644 --- a/demos/quickstart/protected/pages/Advanced/Security.page +++ b/demos/quickstart/protected/pages/Advanced/Security.page @@ -47,7 +47,7 @@ There are several countermeasures to prevent cookies from being attacked. <ul id="u1" class="block-content">
<li>An application can use SSL to create a secure communication channel and only pass the authentication cookie over an HTTPS connection. Attackers are thus unable to decipher the contents in the transferred cookies.</li>
<li>Expire sessions appropriately, including all cookies and session tokens, to reduce the likelihood of being attacked.</li>
- <li>Prevent <a href="?page=Security.XSS">cross-site scripting (XSS)</a> which causes arbitrary code to run in a user's browser and expose his cookies.</li>
+ <li>Prevent cross-site scripting (XSS) which causes arbitrary code to run in a user's browser and expose his cookies.</li>
<li>Validate cookie data and detect if they are altered.</li>
</ul>
<p id="730573" class="block-content">
diff --git a/demos/quickstart/protected/pages/Controls/NewControl.page b/demos/quickstart/protected/pages/Controls/NewControl.page index f521ffd7..9981dd56 100644 --- a/demos/quickstart/protected/pages/Controls/NewControl.page +++ b/demos/quickstart/protected/pages/Controls/NewControl.page @@ -57,7 +57,7 @@ Complete code for <tt>LabeledTextBox</tt> is shown as follows, class LabeledTextBox extends TCompositeControl {
private $_label;
private $_textbox;
- protected function createChildControls() {
+ public function createChildControls() {
$this->_label=new TLabel;
$this->_label->setID('Label');
// add the label as a child of LabeledTextBox
diff --git a/demos/quickstart/protected/pages/Controls/Standard.page b/demos/quickstart/protected/pages/Controls/Standard.page index 6fe7533f..88bac309 100644 --- a/demos/quickstart/protected/pages/Controls/Standard.page +++ b/demos/quickstart/protected/pages/Controls/Standard.page @@ -104,7 +104,7 @@ </li>
<li>
- <a href="?page=Controls.SafeHtml">TSafeHtml</a> displays its body content with assurance that the content contain no harmful code (such as <a href="?page=Security.XSS">XSS</a>).
+ <a href="?page=Controls.SafeHtml">TSafeHtml</a> displays its body content with assurance that the content contain no harmful code (such as <a href="?page=Advanced.Security">XSS</a>).
</li>
<li>
diff --git a/framework/I18N/core/MessageSource_MySQL.php b/framework/I18N/core/MessageSource_MySQL.php index 67d86d87..e4f84d2e 100644 --- a/framework/I18N/core/MessageSource_MySQL.php +++ b/framework/I18N/core/MessageSource_MySQL.php @@ -29,7 +29,7 @@ require_once(dirname(__FILE__).'/util.php'); /**
* MessageSource_MySQL class.
- *
+ *
* Retrive the message translation from a MySQL database.
*
* See the MessageSource::factory() method to instantiate this class.
@@ -42,19 +42,19 @@ class MessageSource_MySQL extends MessageSource {
/**
* The datasource string, full DSN to the database.
- * @var string
+ * @var string
*/
protected $source;
-
+
/**
* The DSN array property, parsed by PEAR's DB DSN parser.
- * @var array
+ * @var array
*/
protected $dns;
-
+
/**
* A resource link to the database
- * @var db
+ * @var db
*/
protected $db;
/**
@@ -65,44 +65,44 @@ class MessageSource_MySQL extends MessageSource */
function __construct($source)
{
- $this->source = (string)$source;
+ $this->source = (string)$source;
$this->dns = parseDSN($this->source);
$this->db = $this->connect();
}
-
+
/**
* Destructor, close the database connection.
*/
- function __destruct()
+ function __destruct()
{
@mysql_close($this->db);
}
-
+
/**
* Connect to the MySQL datasource
- * @return resource MySQL connection.
+ * @return resource MySQL connection.
* @throws Exception, connection and database errors.
*/
protected function connect()
{
/*static $conn;
-
+
if(!is_null($conn))
return $conn;
*/
$dsninfo = $this->dns;
-
- if (isset($dsninfo['protocol']) && $dsninfo['protocol'] == 'unix')
+
+ if (isset($dsninfo['protocol']) && $dsninfo['protocol'] == 'unix')
$dbhost = ':' . $dsninfo['socket'];
- else
+ else
{
$dbhost = $dsninfo['hostspec'] ? $dsninfo['hostspec'] : 'localhost';
- if (!empty($dsninfo['port']))
+ if (!empty($dsninfo['port']))
$dbhost .= ':' . $dsninfo['port'];
}
$user = $dsninfo['username'];
- $pw = $dsninfo['password'];
-
+ $pw = $dsninfo['password'];
+
$connect_function = 'mysql_connect';
if ($dbhost && $user && $pw)
@@ -112,55 +112,55 @@ class MessageSource_MySQL extends MessageSource elseif ($dbhost)
$conn = @$connect_function($dbhost);
else
- $conn = false;
-
- if (empty($conn))
+ $conn = false;
+
+ if (empty($conn))
{
throw new Exception('Error in connecting to '.$dsninfo);
}
-
- if ($dsninfo['database'])
+
+ if ($dsninfo['database'])
{
- if (!@mysql_select_db($dsninfo['database'], $conn))
+ if (!@mysql_select_db($dsninfo['database'], $conn))
throw new Exception('Error in connecting database, dns:'.
$dsninfo);
}
else
throw new Exception('Please provide a database for message'.
- ' translation.');
+ ' translation.');
return $conn;
}
-
+
/**
* Get the database connection.
- * @return db database connection.
+ * @return db database connection.
*/
public function connection()
{
return $this->db;
}
-
+
/**
- * Get an array of messages for a particular catalogue and cultural
+ * Get an array of messages for a particular catalogue and cultural
* variant.
* @param string the catalogue name + variant
* @return array translation messages.
- */
+ */
protected function &loadData($variant)
- {
- $variant = mysql_escape_string($variant);
-
- $statement =
+ {
+ $variant = mysql_real_escape_string($variant);
+
+ $statement =
"SELECT t.id, t.source, t.target, t.comments
FROM trans_unit t, catalogue c
WHERE c.cat_id = t.cat_id
- AND c.name = '{$variant}'
+ AND c.name = '{$variant}'
ORDER BY id ASC";
-
+
$rs = mysql_query($statement,$this->db);
-
+
$result = array();
-
+
while($row = mysql_fetch_array($rs,MYSQL_NUM))
{
$source = $row[1];
@@ -168,78 +168,78 @@ class MessageSource_MySQL extends MessageSource $result[$source][] = $row[0]; //id
$result[$source][] = $row[3]; //comments
}
-
+
return $result;
}
-
+
/**
* Get the last modified unix-time for this particular catalogue+variant.
* We need to query the database to get the date_modified.
* @param string catalogue+variant
* @return int last modified in unix-time format.
- */
+ */
protected function getLastModified($source)
{
- $source = mysql_escape_string($source);
+ $source = mysql_real_escape_string($source);
$rs = mysql_query(
"SELECT date_modified FROM catalogue WHERE name = '{$source}'",
$this->db);
-
+
$result = $rs ? intval(mysql_result($rs,0)) : 0;
-
- return $result;
+
+ return $result;
}
-
+
/**
* Check if a particular catalogue+variant exists in the database.
* @param string catalogue+variant
- * @return boolean true if the catalogue+variant is in the database,
+ * @return boolean true if the catalogue+variant is in the database,
* false otherwise.
- */
+ */
protected function isValidSource($variant)
{
- $variant = mysql_escape_string ($variant);
+ $variant = mysql_real_escape_string ($variant);
- $rs = mysql_query(
+ $rs = mysql_query(
"SELECT COUNT(*) FROM catalogue WHERE name = '{$variant}'",
$this->db);
-
+
$row = mysql_fetch_array($rs,MYSQL_NUM);
-
+
$result = $row && $row[0] == '1';
return $result;
}
-
+
/**
* Get all the variants of a particular catalogue.
* @param string catalogue name
- * @return array list of all variants for this catalogue.
- */
+ * @return array list of all variants for this catalogue.
+ */
protected function getCatalogueList($catalogue)
{
$variants = explode('_',$this->culture);
-
+
$catalogues = array($catalogue);
$variant = null;
-
+
for($i = 0, $k = count($variants); $i < $k; ++$i)
- {
+ {
if(isset($variants[$i]{0}))
{
$variant .= ($variant)?'_'.$variants[$i]:$variants[$i];
$catalogues[] = $catalogue.'.'.$variant;
}
}
- return array_reverse($catalogues);
- }
-
+ return array_reverse($catalogues);
+ }
+
/**
* Retrive catalogue details, array($cat_id, $variant, $count).
* @param string catalogue
- * @return array catalogue details, array($cat_id, $variant, $count).
+ * @return array catalogue details, array($cat_id, $variant, $count).
*/
private function getCatalogueDetails($catalogue='messages')
{
@@ -247,17 +247,17 @@ class MessageSource_MySQL extends MessageSource $catalogue = 'messages';
$variant = $catalogue.'.'.$this->culture;
-
- $name = mysql_escape_string($this->getSource($variant));
-
+
+ $name = mysql_real_escape_string($this->getSource($variant));
+
$rs = mysql_query("SELECT cat_id
FROM catalogue WHERE name = '{$name}'", $this->db);
-
+
if(mysql_num_rows($rs) != 1)
return false;
-
+
$cat_id = intval(mysql_result($rs,0));
-
+
//first get the catalogue ID
$rs = mysql_query(
"SELECT count(msg_id)
@@ -265,30 +265,30 @@ class MessageSource_MySQL extends MessageSource WHERE cat_id = {$cat_id}", $this->db);
$count = intval(mysql_result($rs,0));
-
+
return array($cat_id, $variant, $count);
- }
-
+ }
+
/**
* Update the catalogue last modified time.
- * @return boolean true if updated, false otherwise.
+ * @return boolean true if updated, false otherwise.
*/
private function updateCatalogueTime($cat_id, $variant)
{
$time = time();
-
- $result = mysql_query("UPDATE catalogue
+
+ $result = mysql_query("UPDATE catalogue
SET date_modified = {$time}
WHERE cat_id = {$cat_id}", $this->db);
-
+
if(!empty($this->cache))
- $this->cache->clean($variant, $this->culture);
-
+ $this->cache->clean($variant, $this->culture);
+
return $result;
- }
-
+ }
+
/**
- * Save the list of untranslated blocks to the translation source.
+ * Save the list of untranslated blocks to the translation source.
* If the translation was not found, you should add those
* strings to the translation source via the <b>append()</b> method.
* @param string the catalogue to add to
@@ -297,16 +297,16 @@ class MessageSource_MySQL extends MessageSource function save($catalogue='messages')
{
$messages = $this->untranslated;
-
- if(count($messages) <= 0) return false;
- $details = $this->getCatalogueDetails($catalogue);
-
+ if(count($messages) <= 0) return false;
+
+ $details = $this->getCatalogueDetails($catalogue);
+
if($details)
list($cat_id, $variant, $count) = $details;
else
- return false;
-
+ return false;
+
if($cat_id <= 0) return false;
$inserted = 0;
@@ -315,23 +315,23 @@ class MessageSource_MySQL extends MessageSource foreach($messages as $message)
{
$count++; $inserted++;
- $message = mysql_escape_string($message);
+ $message = mysql_real_escape_string($message);
$statement = "INSERT INTO trans_unit
(cat_id,id,source,date_added) VALUES
({$cat_id}, {$count},'{$message}',$time)";
mysql_query($statement, $this->db);
}
if($inserted > 0)
- $this->updateCatalogueTime($cat_id, $variant);
+ $this->updateCatalogueTime($cat_id, $variant);
return $inserted > 0;
- }
-
+ }
+
/**
* Delete a particular message from the specified catalogue.
* @param string the source message to delete.
* @param string the catalogue to delete from.
- * @return boolean true if deleted, false otherwise.
+ * @return boolean true if deleted, false otherwise.
*/
function delete($message, $catalogue='messages')
{
@@ -340,30 +340,30 @@ class MessageSource_MySQL extends MessageSource list($cat_id, $variant, $count) = $details;
else
return false;
-
- $text = mysql_escape_string($message);
-
+
+ $text = mysql_real_escape_string($message);
+
$statement = "DELETE FROM trans_unit WHERE
cat_id = {$cat_id} AND source = '{$message}'";
$deleted = false;
-
+
mysql_query($statement, $this->db);
if(mysql_affected_rows($this->db) == 1)
- $deleted = $this->updateCatalogueTime($cat_id, $variant);
-
+ $deleted = $this->updateCatalogueTime($cat_id, $variant);
+
return $deleted;
}
-
+
/**
* Update the translation.
* @param string the source string.
* @param string the new translation string.
* @param string comments
* @param string the catalogue of the translation.
- * @return boolean true if translation was updated, false otherwise.
- */
+ * @return boolean true if translation was updated, false otherwise.
+ */
function update($text, $target, $comments, $catalogue='messages')
{
$details = $this->getCatalogueDetails($catalogue);
@@ -371,32 +371,32 @@ class MessageSource_MySQL extends MessageSource list($cat_id, $variant, $count) = $details;
else
return false;
-
- $comments = mysql_escape_string($comments);
- $target = mysql_escape_string($target);
- $text = mysql_escape_string($text);
-
+
+ $comments = mysql_real_escape_string($comments);
+ $target = mysql_real_escape_string($target);
+ $text = mysql_real_escape_string($text);
+
$time = time();
-
+
$statement = "UPDATE trans_unit SET
target = '{$target}',
comments = '{$comments}',
date_modified = '{$time}'
- WHERE cat_id = {$cat_id}
+ WHERE cat_id = {$cat_id}
AND source = '{$text}'";
-
+
$updated = false;
-
+
mysql_query($statement, $this->db);
if(mysql_affected_rows($this->db) == 1)
$updated = $this->updateCatalogueTime($cat_id, $variant);
-
+
return $updated;
}
-
+
/**
* Returns a list of catalogue as key and all it variants as value.
- * @return array list of catalogues
+ * @return array list of catalogues
*/
function catalogues()
{
@@ -407,12 +407,12 @@ class MessageSource_MySQL extends MessageSource {
$details = explode('.',$row[0]);
if(!isset($details[1])) $details[1] = null;
-
+
$result[] = $details;
}
return $result;
}
-
+
}
?>
\ No newline at end of file |