summaryrefslogtreecommitdiff
path: root/program/steps/addressbook
diff options
context:
space:
mode:
Diffstat (limited to 'program/steps/addressbook')
-rw-r--r--program/steps/addressbook/ldapsearchform.inc2
-rw-r--r--program/steps/addressbook/save.inc26
2 files changed, 14 insertions, 14 deletions
diff --git a/program/steps/addressbook/ldapsearchform.inc b/program/steps/addressbook/ldapsearchform.inc
index 5c04406c5..a4e08dcdc 100644
--- a/program/steps/addressbook/ldapsearchform.inc
+++ b/program/steps/addressbook/ldapsearchform.inc
@@ -255,7 +255,7 @@ function get_form_tags($attrib)
$hiddenfields = new hiddenfield(array('name' => '_task', 'value' => $GLOBALS['_task']));
$hiddenfields->add(array('name' => '_action', 'value' => 'ldappublicsearch'));
- if ($_GET['_framed'] || $_POST['_framed'])
+ if ($_framed)
$hiddenfields->add(array('name' => '_framed', 'value' => 1));
$form_start .= !strlen($attrib['form']) ? '<form name="form" action="./" method="post">' : '';
diff --git a/program/steps/addressbook/save.inc b/program/steps/addressbook/save.inc
index 32a6243fd..5135e4b04 100644
--- a/program/steps/addressbook/save.inc
+++ b/program/steps/addressbook/save.inc
@@ -23,7 +23,7 @@
if ((empty($_POST['_name']) || empty($_POST['_email'])) && empty($_GET['_framed']))
{
show_message('formincomplete', 'warning');
- rcmail_overwrite_action($_POST['_cid'] ? 'show' : 'add');
+ rcmail_overwrite_action(empty($_POST['_cid']) ? 'add' : 'show');
return;
}
@@ -32,7 +32,7 @@ $a_save_cols = array('name', 'firstname', 'surname', 'email');
$contacts_table = get_table_name('contacts');
// update an existing contact
-if ($_POST['_cid'])
+if (!empty($_POST['_cid']))
{
$a_write_sql = array();
@@ -44,7 +44,7 @@ if ($_POST['_cid'])
$a_write_sql[] = sprintf("%s=%s",
$DB->quoteIdentifier($col),
- $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset())));
+ $DB->quote(get_input_value($fname, RCUBE_INPUT_POST)));
}
if (sizeof($a_write_sql))
@@ -65,7 +65,7 @@ if ($_POST['_cid'])
$_action = 'show';
show_message('successfullysaved', 'confirmation');
- if ($_POST['_framed'])
+ if ($_framed)
{
// define list of cols to be displayed
$a_show_cols = array('name', 'email');
@@ -115,20 +115,20 @@ else
if (isset($_GET['_emails']) && isset($_GET['_names']))
{
$sql .= "AND email IN (";
- $emails = explode(',', $_GET['_emails']);
- $names = explode(',', $_GET['_names']);
+ $emails = explode(',', get_input_value('_emails', RCUBE_INPUT_GET));
+ $names = explode(',', get_input_value('_names', RCUBE_INPUT_GET));
$count = count($emails);
$n = 0;
foreach ($emails as $email)
{
$end = (++$n == $count) ? '' : ',';
- $sql .= $DB->quote(strip_tags($email)) . $end;
+ $sql .= $DB->quote($email) . $end;
}
$sql .= ")";
$ldap_form = true;
}
else if (isset($_POST['_email']))
- $sql .= "AND email = " . $DB->quote(strip_tags($_POST['_email']));
+ $sql .= "AND email = " . $DB->quote(get_input_value('_email', RCUBE_INPUT_POST));
$sql_result = $DB->query($sql);
@@ -151,9 +151,9 @@ else
foreach ($emails as $email)
{
$DB->query("INSERT INTO $contacts_table
- (user_id, name, email)
- VALUES ({$_SESSION['user_id']}," . $DB->quote(strip_tags($names[$n++])) . "," .
- $DB->quote(strip_tags($email)) . ")");
+ (user_id, name, email
+ VALUES ({$_SESSION['user_id']}," . $DB->quote($names[$n++]) . "," .
+ $DB->quote($email) . ")");
$insert_id[] = $DB->insert_id();
}
}
@@ -166,7 +166,7 @@ else
continue;
$a_insert_cols[] = $col;
- $a_insert_values[] = $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset()));
+ $a_insert_values[] = $DB->quote(get_input_value($fname, RCUBE_INPUT_POST));
}
if (sizeof($a_insert_cols))
@@ -187,7 +187,7 @@ else
$_action = 'show';
$_GET['_cid'] = $insert_id;
- if ($_POST['_framed'])
+ if ($_framed)
{
// add contact row or jump to the page where it should appear
$commands = sprintf("if(parent.%s)parent.", $JS_OBJECT_NAME);