diff --git a/app/contacts/contact_setting_edit.php b/app/contacts/contact_setting_edit.php index a2bb0a1e28..39393ee088 100644 --- a/app/contacts/contact_setting_edit.php +++ b/app/contacts/contact_setting_edit.php @@ -24,16 +24,20 @@ Mark J Crane Luis Daniel Lucio Quiroz */ -require_once "root.php"; -require_once "resources/require.php"; -require_once "resources/check_auth.php"; -if (permission_exists('contact_setting_edit') || permission_exists('contact_setting_add')) { - //access granted -} -else { - echo "access denied"; - exit; -} + +//includes + require_once "root.php"; + require_once "resources/require.php"; + require_once "resources/check_auth.php"; + +//check permissions + if (permission_exists('contact_setting_edit') || permission_exists('contact_setting_add')) { + //access granted + } + else { + echo "access denied"; + exit; + } //add multi-lingual support $language = new text; @@ -167,7 +171,7 @@ else { if ($action == "add") { messages::add($text['message-add']); } - header("Location: contact_edit.php?id=".$contact_uuid); + header("Location: contact_edit.php?id=".escape($contact_uuid)); return; } //if ($_POST["persistformvar"] != "true") } //(count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) @@ -182,14 +186,13 @@ else { $prep_statement->execute(); $result = $prep_statement->fetchAll(PDO::FETCH_NAMED); foreach ($result as &$row) { - $contact_setting_category = $row["contact_setting_category"]; - $contact_setting_subcategory = $row["contact_setting_subcategory"]; - $contact_setting_name = $row["contact_setting_name"]; - $contact_setting_value = $row["contact_setting_value"]; - $contact_setting_order = $row["contact_setting_order"]; - $contact_setting_enabled = $row["contact_setting_enabled"]; - $contact_setting_description = $row["contact_setting_description"]; - break; //limit to 1 row + $contact_setting_category = escape($row["contact_setting_category"]); + $contact_setting_subcategory = escape($row["contact_setting_subcategory"]); + $contact_setting_name = escape($row["contact_setting_name"]); + $contact_setting_value = escape($row["contact_setting_value"]); + $contact_setting_order = escape($row["contact_setting_order"]); + $contact_setting_enabled = escape($row["contact_setting_enabled"]); + $contact_setting_description = escape($row["contact_setting_description"]); } unset ($prep_statement); } @@ -237,7 +240,7 @@ else { echo " ".$text['label-contact_setting_category']."\n"; echo "\n"; echo "\n"; - echo " \n"; + echo " \n"; echo "
\n"; echo $text['description-contact_setting_category']."\n"; echo "\n"; @@ -248,7 +251,7 @@ else { echo " ".$text['label-contact_setting_subcategory']."\n"; echo "\n"; echo "\n"; - echo " \n"; + echo " \n"; echo "
\n"; echo $text['description-contact_setting_subcategory']."\n"; echo "\n"; @@ -259,7 +262,7 @@ else { echo " ".$text['label-contact_setting_type']."\n"; echo "\n"; echo "\n"; - echo " \n"; + echo " \n"; echo "
\n"; echo $text['description-contact_setting_type']."\n"; echo "\n"; @@ -273,7 +276,7 @@ else { $category = $row['contact_setting_category']; $subcategory = $row['contact_setting_subcategory']; $name = $row['contact_setting_name']; - echo " \n"; + echo " \n"; echo "
\n"; echo $text['description-contact_setting_value']."\n"; echo "\n"; @@ -290,13 +293,13 @@ else { while($i<=999) { $selected = ($i == $contact_setting_order) ? "selected" : null; if (strlen($i) == 1) { - echo " \n"; + echo " \n"; } if (strlen($i) == 2) { - echo " \n"; + echo " \n"; } if (strlen($i) == 3) { - echo " \n"; + echo " \n"; } $i++; } @@ -336,7 +339,7 @@ else { echo " ".$text['label-description']."\n"; echo "\n"; echo "\n"; - echo " \n"; + echo " \n"; echo "
\n"; echo $text['description-description']."\n"; echo "\n"; @@ -345,9 +348,9 @@ else { echo " \n"; echo " \n"; echo "
"; - echo " \n"; + echo " \n"; if ($action == "update") { - echo " \n"; + echo " \n"; } echo " \n"; echo " \n"; @@ -358,4 +361,5 @@ else { //include the footer require_once "resources/footer.php"; + ?>