Changeset 2717270
- Timestamp:
- 05/02/2022 08:05:00 PM (4 years ago)
- Location:
- stafflist/trunk
- Files:
-
- 2 edited
-
readme.txt (modified) (1 diff)
-
stafflist.php (modified) (4 diffs)
Legend:
- Unmodified
- Added
- Removed
-
stafflist/trunk/readme.txt
r2702847 r2717270 103 103 104 104 == Changelog == 105 = 3.1.5 = 106 * Fixed a vulnerability in admin search discoverd by HYusufzai (thank you); 105 107 106 108 = 3.1.2 = -
stafflist/trunk/stafflist.php
r2702847 r2717270 4 4 Plugin URI: http://wordpress.org/plugins/stafflist/ 5 5 Description: A super simplified staff directory tool 6 Version: 3.1. 26 Version: 3.1.5 7 7 Author: era404 8 8 Author URI: http://www.era404.com … … 214 214 215 215 //handle search (use mb_strtolower, where available) 216 $w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ? 217 (function_exists('imap_open') ? 218 mb_strtolower(wpesc($_GET['search']),'utf8') : 219 strtolower(wpesc($_GET['search']))) : 220 false); 221 222 $where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR 223 LOWER(firstname) LIKE '%{$w}%' OR 224 LOWER(department) LIKE '%{$w}%' OR 225 LOWER(email) LIKE '%{$w}%'" : ""); 226 //add nonstandard rows to search 227 $nonstd = getNonstandardRows(1); 228 if($w && !empty($nonstd)) foreach($nonstd as $k=>$v) $where.= " OR LOWER({$k}) LIKE '%{$w}%' "; 216 if(isset($_GET['search']) && (string) trim($_GET['search'])!=""){ 217 218 $w = (function_exists('mb_strtolower') ? 219 mb_strtolower( $_GET['search'],'utf8') : 220 strtolower( $_GET['search'])); 221 $ws = '%'.$wpdb->esc_like($w).'%'; 222 $where = "WHERE LOWER(lastname) LIKE %s OR 223 LOWER(firstname) LIKE %s OR 224 LOWER(department) LIKE %s OR 225 LOWER(email) LIKE %s"; 226 $params = array($ws,$ws,$ws,$ws); 227 228 //add nonstandard rows to search 229 $nonstd = getNonstandardRows(1); 230 if(!empty($nonstd)){ 231 foreach($nonstd as $k=>$v){ 232 $where.= " OR LOWER({$k}) LIKE %s "; 233 $params[] = $ws; 234 } 235 } 236 237 } else { 238 $w = false; 239 $where = ""; 240 $params = array(); 241 } 229 242 230 243 //get count, first 231 $count = $wpdb->get_var("SELECT count(id) FROM $staffdb {$where}"); //echo "COUNT: $count<br /><br />"; 244 $q = "SELECT count(id) FROM $staffdb {$where}"; 245 $sql = $wpdb->prepare($q,$params); 246 $count = $wpdb->get_var(); //echo "COUNT: $count<br /><br />"; 232 247 233 248 //handle paging … … 238 253 239 254 //build query 240 $q = "SELECT * FROM {$staffdb} {$where} ORDER BY {$sort} {$dir} LIMIT {$pg[4]}, {$pg[1]}"; //echo $q; 241 $staff = $wpdb->get_results($q, ARRAY_A); //myprint_r($staff); 255 $q = "SELECT * FROM {$staffdb} {$where} ORDER BY {$sort} {$dir} LIMIT {$pg[4]}, {$pg[1]}"; //echo $q; 256 $sql = $wpdb->prepare($q,$params); 257 $staff = $wpdb->get_results($sql, ARRAY_A); //myprint_r($staff); 242 258 243 259 //build table … … 274 290 ***********************************************************************************/ 275 291 echo "<div id='warning' class='orange' style='display:".($cr>0?"block":"none").";'>".(($cr>0)?"<strong>NOTE:</strong> [ $cr ] Staff Record removed.":"")."</div>"; 276 echo "<input type='text' id='searchdirectory' name='searchdirectory' value=' {$w}' placeholder='Search Directory' />";292 echo "<input type='text' id='searchdirectory' name='searchdirectory' value='".esc_attr(stripslashes($w))."' placeholder='Search Directory' />"; 277 293 278 294 global $stafflisturl; $stafflisturl = STAFFLIST_URL . ($w ? "&search={$w}" : "");
Note: See TracChangeset
for help on using the changeset viewer.