ruạṛ
<?php /** * Utility script combining and whitelisting all calls to change the order_id of an item * @version 0.9 * @author Robert Urquhart <programmer@activatedesign.co.nz> * @package WEP-CMS */ require_once $_SERVER['DOCUMENT_ROOT'].'/admin/scripts-includes/universal.php'; $conn_ID = connect_to_db(); //whitelisting if(isset($_GET['page']) && $id=is_numeric_id($_GET['page']) ) { $table = 'page_data'; $field = 'page_id'; $return = 'Page'; } elseif(isset($_GET['prod']) && $pid=is_numeric_id($_GET['prod'],true) ) { if(isset($_GET['cat']) && $cid=is_numeric_id($_GET['cat'],true)) { $table = 'product_category_xref'; $field = "concat_ws(':',category_id,product_id)"; $id = $cid.':'.$pid; } else { $table = 'product'; $field = 'prod_id'; $id = $pid; } $return = 'Product'; } elseif(isset($_GET['cat']) && $id=is_numeric_id($_GET['cat']) ) { $table = 'categories'; $field = 'cat_id'; $return = 'Category'; } elseif(isset($_GET['ship']) && $id=is_numeric_id($_GET['ship']) ) { $table = 'shipping'; $field = 'ship_id'; $return = 'Entry'; } elseif(isset($_GET['image']) && $id=is_numeric_id($_GET['image']) ) { $table = 'image_data'; $field = 'image_id'; $return = 'Image'; } else { getout('Invalid ID','index.php'); exit; } switch(clean_plain_data($_GET['move'])) { case "up": if (!$result=mysql_query("update $table set order_id=order_id+1 where $field='$id'")) { getout(mysql_error()); exit; } break; case "down": if (!$result=mysql_query("update $table set order_id=order_id-1 where $field='$id'")) { getout(mysql_error()); exit; } break; default: } $message="$return updated successfully."; getout($message); exit; ?>
cải xoăn