From 10a699759d4f106f29c077a6d65d3b8d212825e5 Mon Sep 17 00:00:00 2001 From: thomascube Date: Sun, 6 Nov 2005 19:26:45 +0000 Subject: Added localized messages to client and check form input --- CHANGELOG | 7 ++- INSTALL | 35 ++++++++++- program/include/main.inc | 27 ++++++++ program/include/rcube_db.inc | 18 +++++- program/include/rcube_mdb2.inc | 52 +++++++--------- program/js/app.js | 104 ++++++++++++++++++++++++++++--- program/js/common.js | 15 ++++- program/localization/de/labels.inc | 2 + program/localization/de/messages.inc | 17 ++++- program/localization/en/labels.inc | 2 + program/localization/en/messages.inc | 20 ++++++ program/steps/addressbook/edit.inc | 6 +- program/steps/addressbook/save.inc | 35 +++++++++-- program/steps/mail/compose.inc | 4 ++ program/steps/mail/sendmail.inc | 13 +++- program/steps/settings/edit_identity.inc | 5 ++ program/steps/settings/func.inc | 3 + program/steps/settings/save_identity.inc | 35 ++++++----- 18 files changed, 330 insertions(+), 70 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 4d98e59e1..6d561ba74 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -60,7 +60,7 @@ CHANGELOG RoundCube Webmail - Display folder names with special chars correctly (Bug #1330157) -2005/11/02 +2005/11/06 ---------- - Added Finnish, Romanian and Chinese translation - Get IMAP server capabilities in array @@ -71,4 +71,7 @@ CHANGELOG RoundCube Webmail - Fixed XSS in address book and identities - Added more XSS protection (Bug #1308236) - Added tab indexes for compose form - +- Added 'changed' col to contacts table +- Support for 160-bit session hashes +- Added input check for contacts and identities (Patch #1346523) +- Added messages/warning to compose step (Patch #1323895) diff --git a/INSTALL b/INSTALL index f40196ff9..cca4fa12a 100644 --- a/INSTALL +++ b/INSTALL @@ -3,16 +3,47 @@ INSTALLATION ============ 1. Decompress and put this folder somewhere inside your document root -2. Make sure that the following directories are writable by the webserver +2. Make sure that the following directories (and the files within) + are writable by the webserver - /temp - /logs -3. Create a new database and a database user for RoundCube +3. Create a new database and a database user for RoundCube (see DATABASE SETUP) 4. Create database tables using the queries in file 'SQL/*.initial.sql' + (* stands for your database type) 5. Rename the files config/*.inc.php.dist to config/*.inc.php 6. Modify the files in config/* to suit your local environment 7. Done! +DATABASE SETUP +============== + +* MySQL +------- +Setting up the mysql database can be done by creating an empty database, +importing the table layout and granting the proper permissions to the +roundcube user. Here is an example of that procedure: + +# mysql +> create database 'roundcubemail'; +> GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost + IDENTIFIED BY 'password'; +> quit +# mysql roundcubemail < SQL/mysql.initial.sql + +* SQLite +-------- +Sqlite requires specifically php5 (sqlite in php4 currently doesn't +work with roundcube), and you need sqlite 2 (preferably 2.8) to setup +the sqlite db (sqlite 3.x also doesn't work at the moment). Here is +an example how you can setup the sqlite.db for roundcube: + +# sqlite -init SQL/sqlite.initial.sql sqlite.db + +Make sure your configuration points to the sqlite.db file and that the +webserver can write to the file. + + UPGRADING ========= If you already have a previous version of RoundCube installed, diff --git a/program/include/main.inc b/program/include/main.inc index 9248caa99..5895807a9 100644 --- a/program/include/main.inc +++ b/program/include/main.inc @@ -248,6 +248,9 @@ function load_gui() $OUTPUT->set_charset($CONFIG['charset']); else rcmail_set_locale($sess_user_lang); + + // add some basic label to client + rcube_add_label('loading'); } @@ -401,6 +404,16 @@ function rcmail_create_user($user, $host) } +// overwrite action variable +function rcmail_overwrite_action($action) + { + global $OUTPUT, $JS_OBJECT_NAME; + $GLOBALS['_action'] = $action; + + $OUTPUT->add_script(sprintf("\n%s.set_env('action', '%s');", $JS_OBJECT_NAME, $action)); + } + + function show_message($message, $type='notice') { global $OUTPUT, $JS_OBJECT_NAME, $REMOTE_REQUEST; @@ -490,6 +503,20 @@ function rcube_list_languages() } +// add a localized label to the client environment +function rcube_add_label() + { + global $OUTPUT, $JS_OBJECT_NAME; + + $arg_list = func_get_args(); + foreach ($arg_list as $i => $name) + $OUTPUT->add_script(sprintf("%s.add_label('%s', '%s');", + $JS_OBJECT_NAME, + $name, + rep_specialchars_output(rcube_label($name), 'js'))); + } + + // ************** template parsing and gui functions ************** diff --git a/program/include/rcube_db.inc b/program/include/rcube_db.inc index 684ed49b9..f13ab55c0 100755 --- a/program/include/rcube_db.inc +++ b/program/include/rcube_db.inc @@ -220,7 +220,17 @@ class rcube_db return $result->fetchRow(DB_FETCHMODE_ASSOC); } - function quoteIdentifier ( $str ) + + function quote($input, $type=null) + { + if (!$this->db_handle) + $this->db_connect('r'); + + return $this->db_handle->quote($input); + } + + + function quoteIdentifier($str) { if (!$this->db_handle) $this->db_connect('r'); @@ -228,6 +238,12 @@ class rcube_db return $this->db_handle->quoteIdentifier($str); } + function quote_identifier($str) + { + return $this->quoteIdentifier($str); + } + + function unixtimestamp($field) { switch($this->db_provider) diff --git a/program/include/rcube_mdb2.inc b/program/include/rcube_mdb2.inc index f6fde8dd5..35973ad5d 100755 --- a/program/include/rcube_mdb2.inc +++ b/program/include/rcube_mdb2.inc @@ -102,39 +102,24 @@ class rcube_db } // Query database - function query() - { - $params = func_get_args(); - $query = array_shift($params); - - return $this->_query($query, 0, 0, $params); - } - function limitquery() - { $params = func_get_args(); - $query = array_shift($params); - $offset = array_shift($params); - $numrows = array_shift($params); - - return $this->_query($query, $offset, $numrows, $params); - } function _query($query, $offset, $numrows, $params) @@ -168,6 +153,7 @@ class rcube_db return $this->_add_result($result, $query); } + function num_rows($res_id=NULL) { if (!$this->db_handle) @@ -181,6 +167,7 @@ class rcube_db return FALSE; } + function affected_rows($res_id=NULL) { if (!$this->db_handle) @@ -189,6 +176,7 @@ class rcube_db return $this->db_handle->affectedRows(); } + function insert_id($sequence = '') { if (!$this->db_handle || $this->db_mode=='r') @@ -212,42 +200,44 @@ class rcube_db return $result->fetchRow(MDB2_FETCHMODE_ASSOC); } - function quoteIdentifier ( $str ) - - { + function quote($input, $type=null) + { if (!$this->db_handle) - $this->db_connect('r'); - + return $this->db_handle->quote($input, $type); + } + - return $this->db_handle->quoteIdentifier($str); + function quoteIdentifier($str) + { + if (!$this->db_handle) + $this->db_connect('r'); + return $this->db_handle->quoteIdentifier($str); } - - function unixtimestamp($field) + function quote_identifier($str) { + return $this->quoteIdentifier($str); + } - switch($this->db_provider) + function unixtimestamp($field) + { + switch($this->db_provider) { - case 'pgsql': - return "EXTRACT (EPOCH FROM $field)"; - break; default: - return "UNIX_TIMESTAMP($field)"; - } - } - + + function _add_result($res, $query) { // sql error occured diff --git a/program/js/app.js b/program/js/app.js index 3f86e9f11..91825d3e6 100644 --- a/program/js/app.js +++ b/program/js/app.js @@ -6,7 +6,7 @@ | Copyright (C) 2005, RoundCube Dev, - Switzerland | | Licensed under the GNU GPL | | | - | Modified: 2005/11/01 (roundcube) | + | Modified: 2005/11/06 (roundcube) | | | +-----------------------------------------------------------------------+ | Author: Thomas Bruederli | @@ -19,6 +19,7 @@ var rcube_webmail_client; function rcube_webmail() { this.env = new Object(); + this.labels = new Object(); this.buttons = new Object(); this.gui_objects = new Object(); this.commands = new Object(); @@ -49,6 +50,14 @@ function rcube_webmail() this.env[name] = value; }; + + // add a localized label to the client environment + this.add_label = function(key, value) + { + this.labels[key] = value; + }; + + // add a button to the button list this.register_button = function(command, id, type, act, sel, over) { @@ -513,7 +522,37 @@ function rcube_webmail() case 'save-identity': case 'save': if (this.gui_objects.editform) + { + var input_pagesize = rcube_find_object('_pagesize'); + var input_name = rcube_find_object('_name'); + var input_email = rcube_find_object('_email'); + + // user prefs + if (input_pagesize && input_pagesize.value == '') + { + alert(this.get_label('nopagesizewarning')); + input_pagesize.focus(); + break; + } + // contacts/identities + else + { + if (input_name && input_name.value == '') + { + alert(this.get_label('nonamewarning')); + input_name.focus(); + break; + } + else if (input_email && !rcube_check_email(input_email.value)) + { + alert(this.get_label('noemailwarning')); + input_email.focus(); + break; + } + } + this.gui_objects.editform.submit(); + } break; case 'delete': @@ -639,14 +678,46 @@ function rcube_webmail() var input_to = rcube_find_object('_to'); var input_subject = rcube_find_object('_subject'); var input_message = rcube_find_object('_message'); - - if (input_to.value!='' && input_message.value!='') + + // check for empty recipient + if (input_to && !rcube_check_email(input_to.value, true)) { - this.set_busy(true, 'sendingmessage'); - var form = this.gui_objects.messageform; - form.submit(); + alert(this.get_label('norecipientwarning')); + input_to.focus(); + break; } - + + // display localized warning for missing subject + if (input_subject && input_subject.value == '') + { + var subject = prompt(this.get_label('nosubjectwarning'), this.get_label('nosubject')); + + // user hit cancel, so don't send + if (!subject && subject !== '') + { + input_subject.focus(); + break; + } + else + { + input_subject.value = subject ? subject : this.get_label('nosubject'); + } + } + + // check for empty body + if (input_message.value=='') + { + if (!confirm(this.get_label('nobodywarning'))) + { + input_message.focus(); + break; + } + } + + // all checks passed, send message + this.set_busy(true, 'sendingmessage'); + var form = this.gui_objects.messageform; + form.submit(); break; case 'add-attachment': @@ -760,7 +831,13 @@ function rcube_webmail() this.set_busy = function(a, message) { if (a && message) - this.display_message('Loading...', 'loading', true); + { + var msg = this.get_label(message); + if (msg==message) + msg = 'Loading...'; + + this.display_message(msg, 'loading', true); + } else if (!a && this.busy) this.hide_message(); @@ -780,6 +857,17 @@ function rcube_webmail() }; + // return a localized string + this.get_label = function(name) + { + if (this.labels[name]) + return this.labels[name]; + else + return name; + }; + + + // switch to another application task this.switch_task = function(task) { if (this.task===task && task!='mail') diff --git a/program/js/common.js b/program/js/common.js index 78fecf8fe..0c9917ad9 100644 --- a/program/js/common.js +++ b/program/js/common.js @@ -6,7 +6,7 @@ | Copyright (C) 2005, RoundCube Dev, - Switzerland | | Licensed under the GNU GPL | | | - | Modified:2005/10/21 (roundcube) | + | Modified:2005/11/06 (roundcube) | | | +-----------------------------------------------------------------------+ | Author: Thomas Bruederli | @@ -264,6 +264,19 @@ function rcube_layer(id, attributes) } +// check if input is a valid email address +function rcube_check_email(input, inline) + { + if (input && window.RegExp) + { + var reg_str = '([a-z0-9][-a-z0-9\.\+_]*)\@([a-z0-9]([-a-z0-9][\.]?)*[a-z0-9]\.[a-z]{2,9})'; + var reg1 = inline ? new RegExp(reg_str, 'i') : new RegExp('^'+reg_str+'$', 'i'); + var reg2 = /[\._\-\@]{2}/; + return reg1.test(input) && !reg2.test(input) ? true : false; + } + return false; + } + // find a value in a specific array and returns the index function find_in_array() diff --git a/program/localization/de/labels.inc b/program/localization/de/labels.inc index 36ade6413..fe5bd8e25 100644 --- a/program/localization/de/labels.inc +++ b/program/localization/de/labels.inc @@ -119,6 +119,8 @@ $labels['normal'] = 'Normal'; $labels['high'] = 'Hoch'; $labels['highest'] = 'Höchste'; +$labels['nosubject'] = '(kein Betreff)'; + $labels['showimages'] = 'Bilder anzeigen'; diff --git a/program/localization/de/messages.inc b/program/localization/de/messages.inc index 41470fab4..e8eabe10a 100644 --- a/program/localization/de/messages.inc +++ b/program/localization/de/messages.inc @@ -32,7 +32,9 @@ $messages['loggedout'] = 'Sie haben Ihre Session erfolgreich beendet. Auf Wieder $messages['mailboxempty'] = 'Ordner ist leer'; -$messages['loadingdata'] = 'Daten werden geladen...'; +$messages['loading'] = $messages['loadingdata'] = 'Daten werden geladen...'; + +$messages['sendingmessage'] = 'Nachricht wird gesendet...'; $messages['messagesent'] = 'Nachricht erfolgreich gesendet'; @@ -52,5 +54,18 @@ $messages['sendingfailed'] = 'Versand der Nachricht fehlgeschlagen'; $messages['errorsaving'] = 'Beim Speichern ist ein Fehler aufgetreten'; +$messages['formincomplete'] = 'Das Formular wurde nicht vollständig ausgefüllt'; + +$messages['noemailwarning'] = 'Bitte geben Sie eine gültige E-Mail-Adresse ein'; + +$messages['nonamewarning'] = 'Bitte geben Sie einen Namen ein'; + +$messages['nopagesizewarning'] = 'Bitte geben Sie eine Einträge pro Seite ein'; + +$messages['norecipientwarning'] = 'Bitte geben Sie mindestens einen Empfänger an'; + +$messages['nosubjectwarning'] = 'Die Betreffzeile ist leer. Möchten Sie jetzt einen Betreff eingeben?'; + +$messages['nobodywarning'] = 'Diese Nachricht ohne Inhalt senden?'; ?> \ No newline at end of file diff --git a/program/localization/en/labels.inc b/program/localization/en/labels.inc index e44f8298f..34d46a3ea 100644 --- a/program/localization/en/labels.inc +++ b/program/localization/en/labels.inc @@ -119,6 +119,8 @@ $labels['normal'] = 'Normal'; $labels['high'] = 'High'; $labels['highest'] = 'Highest'; +$labels['nosubject'] = '(no subject)'; + $labels['showimages'] = 'Display images'; diff --git a/program/localization/en/messages.inc b/program/localization/en/messages.inc index 0ad04ed7e..1ce6bba6d 100644 --- a/program/localization/en/messages.inc +++ b/program/localization/en/messages.inc @@ -32,8 +32,12 @@ $messages['loggedout'] = 'You have successfully terminated the session. Goody by $messages['mailboxempty'] = 'Mailbox is empty'; +$messages['loading'] = 'Loading...'; + $messages['loadingdata'] = 'Loading data...'; +$messages['sendingmessage'] = 'Sending message...'; + $messages['messagesent'] = 'Message sent successfully'; $messages['successfullysaved'] = 'Successfully saved'; @@ -56,5 +60,21 @@ $messages['errormoving'] = 'Could not move the message'; $messages['errordeleting'] = 'Could not delete the message'; +$messages['errordeleting'] = 'Could not delete the message'; + +$messages['formincomplete'] = 'The form was not completely filled out'; + +$messages['noemailwarning'] = 'Please enter a valid email address'; + +$messages['nonamewarning'] = 'Please enter a name'; + +$messages['nopagesizewarning'] = 'Please enter a page size'; + +$messages['norecipientwarning'] = 'Please enter at least one recipient'; + +$messages['nosubjectwarning'] = 'The "Subject" field is empty. Would you like to enter one now?'; + +$messages['nobodywarning'] = 'Send this message without text?'; + ?> \ No newline at end of file diff --git a/program/steps/addressbook/edit.inc b/program/steps/addressbook/edit.inc index 24300bfce..feb794f4d 100644 --- a/program/steps/addressbook/edit.inc +++ b/program/steps/addressbook/edit.inc @@ -31,7 +31,7 @@ if (($_GET['_cid'] || $_POST['_cid']) && $_action=='edit') $_SESSION['user_id']); $CONTACT_RECORD = $DB->fetch_assoc(); - + if (is_array($CONTACT_RECORD)) $OUTPUT->add_script(sprintf("%s.set_env('cid', '%s');", $JS_OBJECT_NAME, $CONTACT_RECORD['contact_id'])); } @@ -45,6 +45,10 @@ function rcmail_contact_editform($attrib) if (!$CONTACT_RECORD && $GLOBALS['_action']!='add') return rcube_label('contactnotfound'); + // add some labels to client + rcube_add_label('noemailwarning'); + rcube_add_label('nonamewarning'); + list($form_start, $form_end) = get_form_tags($attrib); unset($attrib['form']); diff --git a/program/steps/addressbook/save.inc b/program/steps/addressbook/save.inc index c80707fcf..2f54e435b 100644 --- a/program/steps/addressbook/save.inc +++ b/program/steps/addressbook/save.inc @@ -23,6 +23,15 @@ $a_save_cols = array('name', 'firstname', 'surname', 'email'); +// check input +if (empty($_POST['_name']) || empty($_POST['_email'])) + { + show_message('formincomplete', 'warning'); + rcmail_overwrite_action($_POST['_cid'] ? 'show' : 'add'); + return; + } + + // update an existing contact if ($_POST['_cid']) { @@ -34,7 +43,7 @@ if ($_POST['_cid']) if (!isset($_POST[$fname])) continue; - $a_write_sql[] = sprintf("%s='%s'", $col, addslashes(strip_tags($_POST[$fname]))); + $a_write_sql[] = sprintf("%s=%s", $DB->quoteIdentifier($col), $DB->quote(strip_tags($_POST[$fname]))); } if (sizeof($a_write_sql)) @@ -87,7 +96,7 @@ if ($_POST['_cid']) { // show error message show_message('errorsaving', 'error'); - $_action = 'show'; + rcmail_overwrite_action('show'); } } @@ -95,6 +104,22 @@ if ($_POST['_cid']) else { $a_insert_cols = $a_insert_values = array(); + + // check for existing contacts + $sql_result = $DB->query("SELECT 1 FROM ".get_table_name('contacts')." + WHERE user_id=? + AND email=? + AND del<>'1'", + $_SESSION['user_id'], + $_POST['_email']); + + // show warning message + if ($DB->num_rows($sql_result)) + { + show_message('contactexists', 'warning'); + $_action = 'add'; + return; + } foreach ($a_save_cols as $col) { @@ -103,13 +128,13 @@ else continue; $a_insert_cols[] = $col; - $a_insert_values[] = sprintf("'%s'", addslashes(strip_tags($_POST[$fname]))); + $a_insert_values[] = $DB->quote(strip_tags($_POST[$fname])); } if (sizeof($a_insert_cols)) { $DB->query("INSERT INTO ".get_table_name('contacts')." - (user_id, changedm ".join(', ', $a_insert_cols).") + (user_id, changed, ".join(', ', $a_insert_cols).") VALUES (?, now(), ".join(', ', $a_insert_values).")", $_SESSION['user_id']); @@ -153,7 +178,7 @@ else { // show error message show_message('errorsaving', 'error'); - $_action = 'add'; + rcmail_overwrite_action('add'); } } diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc index 0dc450205..d01e399e6 100644 --- a/program/steps/mail/compose.inc +++ b/program/steps/mail/compose.inc @@ -32,6 +32,10 @@ if (!is_array($_SESSION['compose'])) $_SESSION['compose'] = array('id' => uniqid(rand())); +// add some labels to client +rcube_add_label('nosubject', 'norecipientwarning', 'nosubjectwarning', 'nobodywarning', 'sendingmessage'); + + if ($_GET['_reply_uid'] || $_GET['_forward_uid']) { $msg_uid = $_GET['_reply_uid'] ? $_GET['_reply_uid'] : $_GET['_forward_uid']; diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc index 48a5ccc6f..2bafaebc1 100644 --- a/program/steps/mail/sendmail.inc +++ b/program/steps/mail/sendmail.inc @@ -28,7 +28,7 @@ require_once('Mail/mime.php'); if (!isset($_SESSION['compose']['id'])) { - $_action = 'list'; + rcmail_overwrite_action('list'); return; } @@ -65,6 +65,14 @@ function rcmail_get_identity($id) /****** check submission and compose message ********/ +if (empty($_POST['_to']) && empty($_POST['_subject']) && $_POST['_message']) + { + show_message("sendingfailed", 'error'); + rcmail_overwrite_action('compose'); + return; + } + + $mailto_regexp = array('/,\s*[\r\n]+/', '/[\r\n]+/', '/,\s*$/m'); $mailto_replace = array(' ', ', ', ''); @@ -206,9 +214,8 @@ else // return to compose page if sending failed if (!$sent) { - $_action = 'compose'; - $OUTPUT->add_script(sprintf("\n%s.set_env('action', '%s');", $JS_OBJECT_NAME, $_action)); show_message("sendingfailed", 'error'); + rcmail_overwrite_action('compose'); return; } diff --git a/program/steps/settings/edit_identity.inc b/program/steps/settings/edit_identity.inc index dc2f14990..6649c209a 100644 --- a/program/steps/settings/edit_identity.inc +++ b/program/steps/settings/edit_identity.inc @@ -48,6 +48,11 @@ function rcube_identity_form($attrib) if (!$IDENTITY_RECORD && $GLOBALS['_action']!='add-identity') return rcube_label('notfound'); + // add some labels to client + rcube_add_label('noemailwarning'); + rcube_add_label('nonamewarning'); + + list($form_start, $form_end) = get_form_tags($attrib, 'save-identity', array('name' => '_iid', 'value' => $IDENTITY_RECORD['identity_id'])); unset($attrib['form']); diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc index 9b7ef002b..01b692395 100644 --- a/program/steps/settings/func.inc +++ b/program/steps/settings/func.inc @@ -34,6 +34,9 @@ function rcmail_user_prefs_form($attrib) { global $DB, $CONFIG, $sess_user_lang; + // add some labels to client + rcube_add_label('nopagesizewarning'); + list($form_start, $form_end) = get_form_tags($attrib, 'save-prefs'); unset($attrib['form']); diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc index ea186ec12..2e42987bf 100644 --- a/program/steps/settings/save_identity.inc +++ b/program/steps/settings/save_identity.inc @@ -22,6 +22,15 @@ $a_save_cols = array('name', 'email', 'organization', 'reply-to', 'bcc', 'default'); +// check input +if (empty($_POST['_name']) || empty($_POST['_email'])) + { + show_message('formincomplete', 'warning'); + rcmail_overwrite_action('edit-identitiy'); + return; + } + + // update an existing contact if ($_POST['_iid']) { @@ -33,7 +42,7 @@ if ($_POST['_iid']) if (!isset($_POST[$fname])) continue; - $a_write_sql[] = sprintf("`%s`='%s'", $col, addslashes(strip_tags($_POST[$fname]))); + $a_write_sql[] = sprintf("%s=%s", $DB->quoteIdentifier($col), $DB->quote(strip_tags($_POST[$fname]))); } if (sizeof($a_write_sql)) @@ -56,11 +65,11 @@ if ($_POST['_iid']) // mark all other identities as 'not-default' $DB->query("UPDATE ".get_table_name('identities')." SET ".$DB->quoteIdentifier('default')."='0' - WHERE identity_id!=? - AND user_id=? + WHERE user_id=? + AND identity_id<>? AND del<>'1'", - $_POST['_iid'], - $_SESSION['user_id']); + $_SESSION['user_id'], + $_POST['_iid']); if ($_POST['_framed']) { @@ -71,7 +80,8 @@ if ($_POST['_iid']) else { // show error message - + show_message('errorsaving', 'error'); + rcmail_overwrite_action('edit-identitiy'); } } @@ -87,7 +97,7 @@ else continue; $a_insert_cols[] = $DB->quoteIdentifier($col); - $a_insert_values[] = sprintf("'%s'", addslashes(strip_tags($_POST[$fname]))); + $a_insert_values[] = $DB->quote(strip_tags($_POST[$fname])); } if (sizeof($a_insert_cols)) @@ -113,18 +123,13 @@ else else { // show error message + show_message('errorsaving', 'error'); + rcmail_overwrite_action('edit-identitiy'); } } // go to next step -if ($_POST['_framed']) - $_action = 'edit-identitiy'; -else - $_action = 'identities'; - - -// overwrite action variable -$OUTPUT->add_script(sprintf("\n%s.set_env('action', '%s');", $JS_OBJECT_NAME, $_action)); +rcmail_overwrite_action($_POST['_framed'] ? 'edit-identitiy' : 'identities'); ?> \ No newline at end of file -- cgit v1.2.3