diff options
Diffstat (limited to 'cgi/manage.py')
| -rw-r--r-- | cgi/manage.py | 90 |
1 files changed, 39 insertions, 51 deletions
diff --git a/cgi/manage.py b/cgi/manage.py index 02eaf41..93a9921 100644 --- a/cgi/manage.py +++ b/cgi/manage.py @@ -274,23 +274,18 @@ def manage(self, path_split): if not moderator: return - try: - action_taken = True - member = FetchOne( - 'SELECT `username` FROM `staff` WHERE `id` = ' + _mysql.escape_string(path_split[4]) + ' LIMIT 1') - if member: - UpdateDb('DELETE FROM `staff` WHERE `id` = ' + - _mysql.escape_string(path_split[4]) + ' LIMIT 1') - message = 'Staff member deleted.' - template_filename = "message.html" - logAction(staff_account['username'], _( - 'Deleted staff account for %s') % member['username']) - else: - message = _( - 'Unable to locate a staff account with that ID.') - template_filename = "message.html" - except: - pass + action_taken = True + member = FetchOne('SELECT `username` FROM `staff` WHERE `id` = %s LIMIT 1', (path_split[4],)) + if member: + UpdateDb('DELETE FROM `staff` WHERE `id` = %s LIMIT 1', (path_split[4],)) + message = 'Staff member deleted.' + template_filename = "message.html" + logAction(staff_account['username'], _( + 'Deleted staff account for %s') % member['username']) + else: + message = _( + 'Unable to locate a staff account with that ID.') + template_filename = "message.html" if not action_taken: staff = FetchAll('SELECT * FROM `staff` ORDER BY `rights`') @@ -353,7 +348,7 @@ def manage(self, path_split): if imageonly: message = 'Archivo de post /%s/%s eliminado.' % ( board['dir'], post['id']) - elif permanently or post["parentid"] == '0': + elif permanently or post["parentid"] == 0: message = 'Post /%s/%s eliminado permanentemente.' % ( board['dir'], post['id']) else: @@ -384,7 +379,7 @@ def manage(self, path_split): message = _('Post is not a thread opener.') template_filename = "message.html" else: - if not post['locked']: + if post['locked'] == 0: # Cerrar si esta abierto setLocked = 1 else: @@ -392,7 +387,7 @@ def manage(self, path_split): setLocked = 0 UpdateDb("UPDATE `posts` SET `locked` = %s WHERE `boardid` = %s AND `id` = %s LIMIT 1", - (setLocked, board["id"], postid)) + (setLocked, board["id"], post["id"])) threadUpdated(postid) if setLocked == 1: message = _('Thread successfully closed.') @@ -732,7 +727,7 @@ def manage(self, path_split): else: message = _('Ban successfully placed.') action = 'Banned ' + ip - if until != '0': + if until != 0: action += ' until ' + \ formatTimestamp(until) else: @@ -997,16 +992,16 @@ def manage(self, path_split): if path_split[4] == 'restore': board = setBoard(path_split[5]) - post = FetchOne('SELECT `parentid` FROM `posts` WHERE `boardid` = ' + - board['id'] + ' AND `id` = \'' + _mysql.escape_string(path_split[6]) + '\' LIMIT 1') + post = FetchOne('SELECT `parentid` FROM `posts` WHERE `boardid` = %s AND `id` = %s LIMIT 1', + (board['id'], path_split[6])) if not post: message = _( 'Unable to locate a post with that ID.') + '<br />' template_filename = "message.html" else: - UpdateDb('UPDATE `posts` SET `IS_DELETED` = 0 WHERE `boardid` = ' + - board['id'] + ' AND `id` = \'' + _mysql.escape_string(path_split[6]) + '\' LIMIT 1') - if post['parentid'] != '0': + UpdateDb('UPDATE `posts` SET `IS_DELETED` = 0 WHERE `boardid` = %s AND `id` = %s LIMIT 1', + (board['id'], path_split[6])) + if post['parentid'] != 0: threadUpdated(post['parentid']) else: regenerateFrontPages() @@ -1485,8 +1480,7 @@ def manage(self, path_split): elif filter_action == 1: # Change to if len(self.formdata["changeto"]) > 0: - filter_to = _mysql.escape_string( - self.formdata["changeto"]) + filter_to = self.formdata["changeto"] sql_query = "INSERT INTO `filters` (`id`, `boards`, `type`, `action`, `from`, `from_trip`, `reason`, `to`, `added`, `staff`) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s)" sql_params = (edit_id, where, filter_type, filter_action, filter_from, filter_tripcode, filter_reason, filter_to, timestamp(), staff_account['username']) else: @@ -1495,27 +1489,24 @@ def manage(self, path_split): return elif filter_action == 2: # Ban - filter_seconds = '0' + filter_seconds = 0 if len(self.formdata["seconds"]) > 0: - filter_seconds = _mysql.escape_string( - self.formdata["seconds"]) - if "blind" in self.formdata and self.formdata["blind"] == '1': - filter_blind = '1' + filter_seconds = int(self.formdata["seconds"]) + if "blind" in self.formdata and self.formdata["blind"] == 1: + filter_blind = 1 else: - filter_blind = '2' + filter_blind = 2 - sql_query = "INSERT INTO `filters` (`id`, `boards`, `type`, `action`, `from`, `from_trip`, `reason`, `seconds`, `blind`, `added`, `staff`) VALUES (%d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s')" % \ - (edit_id, where, str(filter_type), str(filter_action), filter_from, filter_tripcode, filter_reason, - filter_seconds, filter_blind, str(timestamp()), _mysql.escape_string(staff_account['username'])) + sql_query = "INSERT INTO `filters` (`id`, `boards`, `type`, `action`, `from`, `from_trip`, `reason`, `seconds`, `blind`, `added`, `staff`) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)" + sql_params = (edit_id, where, filter_type, filter_action, filter_from, filter_tripcode, filter_reason, + filter_seconds, filter_blind, timestamp(), staff_account['username']) elif filter_action == 3: # Redirect URL if len(self.formdata['redirect_url']) > 0: - redirect_url = _mysql.escape_string( - self.formdata['redirect_url']) + redirect_url = self.formdata['redirect_url'] redirect_time = 0 try: - redirect_time = int( - self.formdata['redirect_time']) + redirect_time = int(self.formdata['redirect_time']) except: pass else: @@ -1523,20 +1514,17 @@ def manage(self, path_split): _("You must enter a URL to redirect to.")) return - sql_query = "INSERT INTO `filters` (`id`, `boards`, `type`, `action`, `from`, `from_trip`, `reason`, `redirect_url`, `redirect_time`, `added`, `staff`) VALUES (%d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s')" % \ - (edit_id, where, str(filter_type), str(filter_action), filter_from, filter_tripcode, filter_reason, redirect_url, str( - redirect_time), str(timestamp()), _mysql.escape_string(staff_account['username'])) + sql_query = "INSERT INTO `filters` (`id`, `boards`, `type`, `action`, `from`, `from_trip`, `reason`, `redirect_url`, `redirect_time`, `added`, `staff`) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)" + sql_params = (edit_id, where, filter_type, filter_action, filter_from, filter_tripcode, filter_reason, redirect_url, redirect_time, timestamp(), staff_account['username']) # DO QUERY! if edit_id > 0: - UpdateDb( - "DELETE FROM `filters` WHERE `id` = %s" % str(edit_id)) - UpdateDb(sql_query) + UpdateDb("DELETE FROM `filters` WHERE `id` = %s", (edit_id,)) + UpdateDb(sql_query, sql_params) message = 'Filter edited.' else: - filt = FetchOne("SELECT `id` FROM `filters` WHERE `boards` = '%s' AND `type` = '%s' AND `from` = '%s'" % ( - where, str(filter_type), filter_from)) + filt = FetchOne("SELECT `id` FROM `filters` WHERE `boards` = %s AND `type` = %s AND `from` = %s", (where, filter_type, filter_from)) if not filt: - UpdateDb(sql_query) + UpdateDb(sql_query, sql_params) message = 'Filter added.' else: message = 'This filter already exists here:' + ' <a href="' + \ @@ -1802,7 +1790,7 @@ def manage(self, path_split): return # Delete! - UpdateDb("DELETE FROM `news` WHERE id = '" + _mysql.escape_string(path_split[4]) + "' AND type = '0'") + UpdateDb("DELETE FROM `news` WHERE id = %s AND type = '0'", (path_split[4],)) message = _("Deleted successfully.") template_filename = "message.html" else: |