r61634 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r61633‎ \| r61634 \| r61635 >
Date:	14:23, 28 January 2010
Author:	raymond
Status:	ok (Comments)
Tags:
Comment:	Add desc and right messages to i18n Update extension credits Run stylize.php
Modified paths:	/trunk/extensions/LastUserLogin/LastUserLogin.i18n.php (modified) (history) /trunk/extensions/LastUserLogin/LastUserLogin.php (modified) (history) /trunk/extensions/LastUserLogin/LastUserLogin_body.php (modified) (history)

Diff [purge]

Index: trunk/extensions/LastUserLogin/LastUserLogin.i18n.php
—	—	@@ -15,11 +15,13 @@
16	16	*/
17	17	$messages['en'] = array(
18	18	'lastuserlogin' => 'Last user login',
	19	+ 'lastuserlogin-desc' => 'Displays the last time a user logged in',
19	20	'lastuserlogin_userid' => 'Username',
20	21	'lastuserlogin_username' => 'Real name',
21	22	'lastuserlogin_useremail' => 'User email',
22	23	'lastuserlogin_lastlogin' => 'Last login',
23	24	'lastuserlogin_daysago' => 'Days ago',
	25	+ 'right-lastlogin' => 'View the last time a user logged in',
24	26	);
25	27
26	28	/** German (Deutsch) */
Index: trunk/extensions/LastUserLogin/LastUserLogin.php
—	—	@@ -4,7 +4,7 @@
5	5	*
6	6	* @file
7	7	* @ingroup Extensions
8		~~- * @version 1.2.0~~
	8	+ * @version 1.2.1
9	9	* @author Justin G. Cramer
10	10	* @author Danila Ulyanov
11	11	* @author Thomas Klein
—	—	@@ -26,24 +26,26 @@
27	27	* http://www.gnu.org/copyleft/gpl.html
28	28	*/
29	29
30		~~-if( !defined( 'MEDIAWIKI' ) ) {~~
	30	+if ( !defined( 'MEDIAWIKI' ) ) {
31	31	die();
32	32	}
33	33
34	34	// Extension credits that will show up on Special:Version
35	35	$wgExtensionCredits['specialpage'][] = array(
	36	+ 'path' => __FILE__,
36	37	'name' => 'LastUserLogin',
37		~~- 'version' => '1.2.0',~~
38		~~- 'author' => array('Justin G. Cramer', 'Danila Ulyanov', 'Thomas Klein'),~~
	38	+ 'version' => '1.2.1',
	39	+ 'author' => array( 'Justin G. Cramer', 'Danila Ulyanov', 'Thomas Klein' ),
	40	+ 'url' => 'http://www.mediawiki.org/wiki/Extension:SpecialLastUserLoginEx',
39	41	'description' => 'Displays the last time a user logged in',
40		~~- 'url' => 'http://www.mediawiki.org/wiki/Extension:SpecialLastUserLoginEx',~~
	42	+ 'descriptionmsg' => 'lastuserlogin-desc',
41	43	);
42	44
43	45	// New user right
44	46	$wgAvailableRights[] = 'lastlogin';
45	47
46	48	// Set up the new special page
47		~~-$dir = dirname(__FILE__) . '/';~~
	49	+$dir = dirname( __FILE__ ) . '/';
48	50	$wgAutoloadClasses['LastUserLogin'] = $dir . 'LastUserLogin_body.php';
49	51	$wgExtensionMessagesFiles['LastUserLogin'] = $dir . 'LastUserLogin.i18n.php';
50	52	$wgSpecialPages['LastUserLogin'] = 'LastUserLogin';
—	—	@@ -52,12 +54,12 @@
53	55	$wgExtensionFunctions[] = 'wfUpdateUserTouched';
54	56
55	57	function wfUpdateUserTouched() {
56		~~- global $wgOut, $wgCookiePrefix;~~
	58	+ global $wgOut, $wgCookiePrefix;
57	59
58		~~- if( isset( $_COOKIE ) && isset( $_COOKIE["{$wgCookiePrefix}UserID"] ) ) {~~
	60	+ if ( isset( $_COOKIE ) && isset( $_COOKIE["{$wgCookiePrefix}UserID"] ) ) {
59	61	$dbw = wfGetDB( DB_MASTER );
60		~~- $query = "UPDATE ".$dbw->tableName('user')." SET user_touched = '".$dbw->timestamp()."' WHERE user_id = ".intval($_COOKIE["{$wgCookiePrefix}UserID"]);~~
61		~~- $dbw->doQuery($query);~~
	62	+ $query = "UPDATE " . $dbw->tableName( 'user' ) . " SET user_touched = '" . $dbw->timestamp() . "' WHERE user_id = " . intval( $_COOKIE["{$wgCookiePrefix}UserID"] );
	63	+ $dbw->doQuery( $query );
62	64	}
63	65	}
64	66
Index: trunk/extensions/LastUserLogin/LastUserLogin_body.php
—	—	@@ -1,5 +1,5 @@
2	2	<?php
3		-
	3	+
4	4	class LastUserLogin extends SpecialPage {
5	5
6	6	/**
—	—	@@ -31,7 +31,7 @@
32	32	}
33	33
34	34	# If the user doesn't have the required 'lastlogin' permission, display an error
35		~~- if( !$wgUser->isAllowed( 'lastlogin' ) ) {~~
	35	+ if ( !$wgUser->isAllowed( 'lastlogin' ) ) {
36	36	$wgOut->permissionRequired( 'lastlogin' );
37	37	return;
38	38	}
—	—	@@ -51,56 +51,56 @@
52	52	);
53	53
54	54	// Get order by and check it
55		~~- if( isset( $_REQUEST['order_by'] ) ){~~
56		~~- if( isset( $fields[$_REQUEST['order_by']] ) ){~~
	55	+ if ( isset( $_REQUEST['order_by'] ) ) {
	56	+ if ( isset( $fields[$_REQUEST['order_by']] ) ) {
57	57	$orderby = $_REQUEST['order_by'];
58	58	} else {
59	59	$orderby = 'user_name';
60	60	}
61	61	} else {
62	62	$orderby = 'user_name';
63		~~- }~~
	63	+ }
64	64
65	65	// Get order type and check it
66		~~- if( isset( $_REQUEST['order_type'] ) ){~~
67		~~- if( $_REQUEST['order_type'] == 'DESC' ){~~
	66	+ if ( isset( $_REQUEST['order_type'] ) ) {
	67	+ if ( $_REQUEST['order_type'] == 'DESC' ) {
68	68	$ordertype = $_REQUEST['order_type'];
69	69	} else {
70	70	$ordertype = 'ASC';
71	71	}
72	72	} else {
73	73	$ordertype = 'ASC';
74		~~- }~~
	74	+ }
75	75
76		~~- $query = "SELECT user_name, user_real_name, user_email, user_touched FROM ".$dbr->tableName('user')." ORDER BY ".$orderby." ".$ordertype;~~
	76	+ $query = "SELECT user_name, user_real_name, user_email, user_touched FROM " . $dbr->tableName( 'user' ) . " ORDER BY " . $orderby . " " . $ordertype;
77	77	$ordertype = $ordertype == 'ASC' ? 'DESC' : 'ASC';
78	78
79		~~- if( $result = $dbr->doQuery($query) ) {~~
80		~~- $out = '<table width="100%" cellpadding="3" '.$style.'><tr>';~~
	79	+ if ( $result = $dbr->doQuery( $query ) ) {
	80	+ $out = '<table width="100%" cellpadding="3" ' . $style . '><tr>';
81	81
82		~~- foreach( $fields as $key => $value ){~~
83		~~- $out .= '<th '.$style.'><a href="?order_by='.$key.'&order_type='.$ordertype.'">'.wfMsg( $value ).'</a></th>';~~
	82	+ foreach ( $fields as $key => $value ) {
	83	+ $out .= '<th ' . $style . '><a href="?order_by=' . $key . '&order_type=' . $ordertype . '">' . wfMsg( $value ) . '</a></th>';
84	84	}
85	85
86		~~- $out .= "<th $style>".wfMsg( 'lastuserlogin_daysago' )."</th>";~~
	86	+ $out .= "<th $style>" . wfMsg( 'lastuserlogin_daysago' ) . "</th>";
87	87	$out .= '</tr>';
88	88
89		~~- while( $row = $dbr->fetchRow($result) ) {~~
	89	+ while ( $row = $dbr->fetchRow( $result ) ) {
90	90	$out .= '<tr>';
91		~~- foreach( $fields as $key => $value ){~~
	91	+ foreach ( $fields as $key => $value ) {
92	92
93		~~- if( $key == 'user_touched' ) {~~
	93	+ if ( $key == 'user_touched' ) {
94	94	$style = 'style="border:1px solid #000"';
95		~~- $out .= "<td $style>".$wgLang->timeanddate( wfTimestamp( TS_MW, $row[$key] ), true ).~~
96		~~- '</td><td style="border: 1px solid #000; text-align:right;">'.~~
97		~~- $wgLang->formatNum( round( ( mktime() - wfTimestamp( TS_UNIX, $row[$key] ) ) /3600/24, 2 ), 2 )."</td>";~~
	95	+ $out .= "<td $style>" . $wgLang->timeanddate( wfTimestamp( TS_MW, $row[$key] ), true ) .
	96	+ '</td><td style="border: 1px solid #000; text-align:right;">' .
	97	+ $wgLang->formatNum( round( ( mktime() - wfTimestamp( TS_UNIX, $row[$key] ) ) / 3600 / 24, 2 ), 2 ) . "</td>";
98	98	} else {
99		~~- if( $key == 'user_name' ) {~~
	99	+ if ( $key == 'user_name' ) {
100	100	$userPage = Title::makeTitle( NS_USER, htmlspecialchars( $row[$key] ) );
101	101	$name = $skin->makeLinkObj( $userPage, htmlspecialchars( $userPage->getText() ) );
102		~~- $out .= '<td '.$style.'>'.$name.'</a></td>';~~
103		~~- } else {~~
104		~~- $out .= '<td '.$style.'>'.htmlspecialchars($row[$key]).' </td>';~~
	102	+ $out .= '<td ' . $style . '>' . $name . '</a></td>';
	103	+ } else {
	104	+ $out .= '<td ' . $style . '>' . htmlspecialchars( $row[$key] ) . ' </td>';
105	105	}
106	106	}
107	107	}

Comments

#Comment by Platonides (talk | contribs) 15:05, 28 January 2010

SQL injection on $_REQUEST['order_by']

#Comment by Platonides (talk | contribs) 15:45, 28 January 2010

Not really. It check that it belong to $fields.

Status & tagging log

21:17, 1 May 2010 Siebrand (talk | contribs) changed the status of r61634 [removed: deferred added: ok]
05:03, 29 January 2010 Tim Starling (talk | contribs) changed the status of r61634 [removed: new added: deferred]
15:45, 28 January 2010 Platonides (talk | contribs) changed the status of r61634 [removed: fixme added: new]
15:05, 28 January 2010 Platonides (talk | contribs) changed the status of r61634 [removed: new added: fixme]