[Vtigercrm-commits] [vtiger-commits] r9049 - /vtigercrm/trunk/include/Ajax/TagCloud.php

[vtigercrm-commits at vtiger.fosslabs.com]

Author: richie
Date: Mon Aug 21 04:50:02 2006
New Revision: 9049

Log:
SQL Injection in tagcloud has been fixed --Jeri

Modified:
    vtigercrm/trunk/include/Ajax/TagCloud.php

Modified: vtigercrm/trunk/include/Ajax/TagCloud.php
==============================================================================
--- vtigercrm/trunk/include/Ajax/TagCloud.php (original)
+++ vtigercrm/trunk/include/Ajax/TagCloud.php Mon Aug 21 04:50:02 2006
@@ -1,53 +1,60 @@
-<?php
-/*********************************************************************************
- ** The contents of this file are subject to the vtiger CRM Public License Version 1.0
-  * ("License"); You may not use this file except in compliance with the License
-  * The Original Code is:  vtiger CRM Open Source
-  * The Initial Developer of the Original Code is vtiger.
-  * Portions created by vtiger are Copyright (C) vtiger.
-  * All Rights Reserved.
-  *
-  ********************************************************************************/
-$ajaxaction = $_REQUEST['ajxaction'];
-global $current_user;
-$crmid = $_REQUEST["recordid"];
-$module = $_REQUEST["module"];
-$userid = $current_user->id;
-if($ajaxaction == "SAVETAG")
-{
-	
-	require_once('include/freetag/freetag.class.php');
-	$tagfields = $_REQUEST["tagfields"];
-    	$freetag = new freetag();
-	if (isset($_REQUEST["tagfields"]) && trim($_REQUEST["tagfields"]) != "")
-	{
-	      	$freetag->tag_object($userid,$crmid,$tagfields,$module);
-	  	$tagcloud = $freetag->get_tag_cloud_html($module,$userid,$crmid);
-	  	echo $tagcloud;
-	}
-
-}
-elseif($ajaxaction == 'GETTAGCLOUD')
-{
-	require_once('include/freetag/freetag.class.php');
-	$freetag = new freetag();
-	if(trim($module) != "")
-	{
-		$tagcloud = $freetag->get_tag_cloud_html($module,$userid,$crmid);
-		echo $tagcloud;
-	}else
-	{
-		$tagcloud = $freetag->get_tag_cloud_html("",$userid);
-		echo $tagcloud;
-	}
-}elseif($ajaxaction == 'DELETETAG')
-{
-	$tagid = $_REQUEST['tagid']; 
-	global $adb;
-	$query="delete from vtiger_freetagged_objects where tag_id=".$tagid;
-	$result=$adb->query($query);
-	$query="delete from vtiger_freetags where id=".$tagid;
-	$result=$adb->query($query);
-	echo 'SUCESS';
-}
-?>
+<?php
+/*********************************************************************************
+ ** The contents of this file are subject to the vtiger CRM Public License Version 1.0
+  * ("License"); You may not use this file except in compliance with the License
+  * The Original Code is:  vtiger CRM Open Source
+  * The Initial Developer of the Original Code is vtiger.
+  * Portions created by vtiger are Copyright (C) vtiger.
+  * All Rights Reserved.
+  *
+  ********************************************************************************/
+$ajaxaction = $_REQUEST['ajxaction'];
+global $current_user;
+$crmid = $_REQUEST["recordid"];
+$module = $_REQUEST["module"];
+$userid = $current_user->id;
+if($ajaxaction == "SAVETAG")
+{
+	
+	require_once('include/freetag/freetag.class.php');
+	$tagfields = $_REQUEST["tagfields"];
+    	$freetag = new freetag();
+	if (isset($_REQUEST["tagfields"]) && trim($_REQUEST["tagfields"]) != "")
+	{
+	      	$freetag->tag_object($userid,$crmid,$tagfields,$module);
+	  	$tagcloud = $freetag->get_tag_cloud_html($module,$userid,$crmid);
+	  	echo $tagcloud;
+	}
+
+}
+elseif($ajaxaction == 'GETTAGCLOUD')
+{
+	require_once('include/freetag/freetag.class.php');
+	$freetag = new freetag();
+	if(trim($module) != "")
+	{
+		$tagcloud = $freetag->get_tag_cloud_html($module,$userid,$crmid);
+		echo $tagcloud;
+	}else
+	{
+		$tagcloud = $freetag->get_tag_cloud_html("",$userid);
+		echo $tagcloud;
+	}
+}elseif($ajaxaction == 'DELETETAG')
+{
+	if(is_numeric($_REQUEST['tagid']))
+	{
+		$tagid = $_REQUEST['tagid']; 
+		global $adb;
+		$query="delete from vtiger_freetagged_objects where tag_id=".$tagid;
+		$result=$adb->query($query);
+		$query="delete from vtiger_freetags where id=".$tagid;
+		$result=$adb->query($query);
+		echo 'SUCESS';
+	}else
+	{
+		 die("An invalid tagid to delete.");
+	}
+	
+}
+?>