From e7019c257742aeeac1665682786131fb59733a4b Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Mon, 2 Oct 2000 07:32:17 +0000
Subject: [PATCH] Changelog --------- - improved the user information page. -
improved the story submission page. - fixed comments score bug: '.00' -->
'x.00' - tried fixing the calendar wrapping - UnConeD, is it fixed now? -
provided a link back to the submission queue after having voted for a
story. - fixed comment subject bug (and security flaw) by replacing quotes
by ". - updated theme 'zaphod': fixed 2 bugs. - updated theme 'marvin':
fixed 1 bug and improved the layout so things wrap (hopefully) better in
Windows. - comments have by default no subject pre-set - if no subject is
provided, the user is warned and when a comment eventually got submitted
without a subject, a subject is composed using the x first characters of
the comment's body. - improved comments on submit.php - corrected a typo in
the FAQ.
UnConeD
-------
- replace 'article.php' by 'discussion.php'
- comment() still uses old references to account.php: the
parameters you supply to account.php does no longer hold.
You have to update those links to the new syntax.
- commentcontrol() is outdated - copy paste the one of
theme 'marvin' and adjust it to your likings.
---
.htaccess | 6 +-
account.php | 14 ++--
calendar.class.php | 2 +-
diary.php | 12 +--
discussion.php | 167 ++++++++++++++++++-------------------
faq.php | 2 +-
function.inc | 10 +--
search.php | 2 +-
submit.php | 26 +++---
template.inc | 2 +-
themes/marvin/marvin.theme | 15 ++--
11 files changed, 126 insertions(+), 132 deletions(-)
diff --git a/.htaccess b/.htaccess
index 5b3354960afd..8468a18abe7e 100644
--- a/.htaccess
+++ b/.htaccess
@@ -41,8 +41,8 @@ ErrorDocument 500 /error.php
php_value magic_quotes_gpc 1
php_value magic_quotes_runtime 0
php_value magic_quotes_sybase 0
- php_value session.auto_start 1
- php_value session.cookie_lifetime 1728000
- php_value session.gc_maxlifetime 1728000
+ php_value session.auto_start 1
+ php_value session.cookie_lifetime 17280000
+ php_value session.gc_maxlifetime 17280000
php_value session.name DROPID
</IfModule>
diff --git a/account.php b/account.php
index 5b052315ede8..2de4c412af18 100644
--- a/account.php
+++ b/account.php
@@ -33,7 +33,7 @@ function showUser($uname) {
if ($user && $uname && $user->userid == $uname) {
$output .= "<P>Welcome $user->userid! This is <B>your</B> user info page. There are many more, but this one is yours. You are probably most interested in editing something, but if you need to kill some time, this place is as good as any other place.</P>\n";
- $output .= "<TABLE BORDER=0 CELLPADDING=2 CELLSPACING=2>\n";
+ $output .= "<TABLE BORDER=\"0\" CELLPADDING=\"2\" CELLSPACING=\"2\">\n";
$output .= " <TR><TD ALIGN=\"right\"><B>User ID:</B></TD><TD>$user->userid</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Name:</B></TD><TD>". format_data($user->name) ."</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>E-mail:</B></TD><TD>". format_email_address($user->femail) ."</A></TD></TR>\n";
@@ -48,7 +48,7 @@ function showUser($uname) {
$theme->footer();
}
elseif ($uname && $account = account_getUser($uname)) {
- $box1 .= "<TABLE BORDER=0 CELLPADDING=2 CELLSPACING=2>\n";
+ $box1 .= "<TABLE BORDER=\"0\" CELLPADDING=\"1\" CELLSPACING=\"1\">\n";
$box1 .= " <TR><TD ALIGN=\"right\"><B>Username:</B></TD><TD>$account->userid</TD></TR>\n";
$box1 .= " <TR><TD ALIGN=\"right\"><B>E-mail:</B></TD><TD>". format_email_address($account->femail) ."</TD></TR>\n";
$box1 .= " <TR><TD ALIGN=\"right\"><B>URL:</B></TD><TD>". format_url($account->url) ."</TD></TR>\n";
@@ -56,15 +56,19 @@ function showUser($uname) {
$box1 .= "</TABLE>\n";
$result = db_query("SELECT c.cid, c.pid, c.sid, c.subject, c.timestamp, s.subject AS story FROM comments c LEFT JOIN users u ON u.id = c.author LEFT JOIN stories s ON s.id = c.sid WHERE u.userid = '$uname' AND c.timestamp > ". (time() - 1209600) ." ORDER BY cid DESC LIMIT 10");
-
while ($comment = db_fetch_object($result)) {
- $box2 .= "<LI><TABLE BORDER=\"0\"><TR><TD>subject: <A HREF=\"discussion.php?id=$comment->sid&cid=$comment->cid&pid=$comment->pid\">$comment->subject</A><BR>date: ". format_date($comment->timestamp) ."<BR>attached to story: <A HREF=\"discussion.php?id=$comment->sid\">$comment->story</A></TD></TR></TABLE></LI>\n";
+ $box2 .= "<TABLE BORDER=\"0\" CELLPADDING=\"1\" CELLSPACING=\"1\">\n";
+ $box2 .= " <TR><TD ALIGN=\"right\"><B>Comment:</B></TD><TD><A HREF=\"discussion.php?id=$comment->sid&cid=$comment->cid&pid=$comment->pid\">$comment->subject</A></TD></TR>\n";
+ $box2 .= " <TR><TD ALIGN=\"right\"><B>Date:</B></TD><TD>". format_date($comment->timestamp) ."</TD></TR>\n";
+ $box2 .= " <TR><TD ALIGN=\"right\"><B>Story:</B></TD><TD><A HREF=\"discussion.php?id=$comment->sid\">$comment->story</A></TD></TR>\n";
+ $box2 .= "</TABLE>\n";
+ $box2 .= "<BR><BR>\n";
$comments++;
}
$result = db_query("SELECT d.* FROM diaries d LEFT JOIN users u ON u.id = d.author WHERE u.userid = '$uname' AND d.timestamp > ". (time() - 1209600) ." ORDER BY id DESC LIMIT 2");
while ($diary = db_fetch_object($result)) {
- $box3 .= "<DL><DT><B>". date("l, F jS", $diary->timestamp) .":</B></DT><DD><P>". check($diary->text) ."</P><P>[ <A HREF=\"diary.php?op=view&name=$uname\">more</A> ]</P></DD></DL>\n";
+ $box3 .= "<DL><DT><B>". date("l, F jS", $diary->timestamp) .":</B></DT><DD><P>". check_output($diary->text) ."</P><P>[ <A HREF=\"diary.php?op=view&name=$uname\">more</A> ]</P></DD></DL>\n";
$diaries++;
}
diff --git a/calendar.class.php b/calendar.class.php
index a4a73e045bee..561363c33439 100644
--- a/calendar.class.php
+++ b/calendar.class.php
@@ -28,7 +28,7 @@ function display() {
### Generate calendar header:
$output .= "\n<!-- calendar -->\n";
$output .= "<TABLE WIDTH=\"100%\" BORDER=\"1\" CELLSPACING=\"0\" CELLPADDING=\"1\">\n";
- $output .= " <TR><TD ALIGN=\"center\" COLSPAN=\"7\"><SMALL><A HREF=\"$PHP_SELF?date=$prev\"><<</A> ". date("F Y", $this->date) ." <A HREF=\"$PHP_SELF?date=$next\">>></A></SMALL></TD></TR>\n";
+ $output .= " <TR><TD ALIGN=\"center\" COLSPAN=\"7\"><SMALL><A HREF=\"$PHP_SELF?date=$prev\"><</A> ". date("F Y", $this->date) ." <A HREF=\"$PHP_SELF?date=$next\">></A></SMALL></TD></TR>\n";
$output .= " <TR><TD ALIGN=\"center\"><SMALL>S</SMALL></TD><TD ALIGN=\"center\"><SMALL>M</SMALL></TD><TD ALIGN=\"center\"><SMALL>T</SMALL></TD><TD ALIGN=\"center\"><SMALL>W</SMALL></TD><TD ALIGN=\"center\"><SMALL>T</SMALL></TD><TD ALIGN=\"center\"><SMALL>F</SMALL></TD><TD ALIGN=\"center\"><SMALL>S</SMALL></TD></TR>\n";
### Initialize temporary variables:
diff --git a/diary.php b/diary.php
index dcbf42ff324e..767a3e1a9e96 100644
--- a/diary.php
+++ b/diary.php
@@ -19,7 +19,7 @@ function diary_overview($num = 20) {
$output .= "<DL>\n";
$output .= " <DD><P><B>$diary->userid wrote:</B></P></DD>\n";
$output .= " <DL>\n";
- $output .= " <DD><P>". check($diary->text) ."</P><P>[ <A HREF=\"diary.php?op=view&name=$diary->userid\">more</A> ]</P></DD>\n";
+ $output .= " <DD><P>". check_output($diary->text) ."</P><P>[ <A HREF=\"diary.php?op=view&name=$diary->userid\">more</A> ]</P></DD>\n";
$output .= " </DL>\n";
$output .= "</DL>\n";
}
@@ -34,13 +34,13 @@ function diary_entry($timestamp, $text, $id = 0) {
if ($id) {
$output .= "<DL>\n";
$output .= " <DT><B>". date("l, F jS", $timestamp) .":</B> </DT>\n";
- $output .= " <DD><P>[ <A HREF=\"diary.php?op=edit&id=$id\">edit</A> ]</P><P>". check($text) ."</P></DD>\n";
+ $output .= " <DD><P>[ <A HREF=\"diary.php?op=edit&id=$id\">edit</A> ]</P><P>". check_output($text) ."</P></DD>\n";
$output .= "</DL>\n";
}
else {
$output .= "<DL>\n";
$output .= " <DT><B>". date("l, F jS", $timestamp) .":</B></DT>\n";
- $output .= " <DD><P>". check($text) ."</P></DD>\n";
+ $output .= " <DD><P>". check_output($text) ."</P></DD>\n";
$output .= "</DL>\n";
}
return $output;
@@ -74,7 +74,7 @@ function diary_add() {
$output .= "<P>\n";
$output .= " <B>Enter new diary entry:</B><BR>\n";
$output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"15\" NAME=\"text\" MAXLENGTH=\"20\"></TEXTAREA><BR>\n";
- $output .= " <SMALL><I>Allowed HTML tags: ". htmlspecialchars($allowed_html) ."</I></SMALL>\n";
+ $output .= " <SMALL><I>Allowed HTML tags: ". htmlspecialchars($allowed_html) .".</I></SMALL>\n";
$output .= "</P>\n";
$output .= "<P>\n";
@@ -101,7 +101,7 @@ function diary_edit($id) {
$output .= "<P>\n";
$output .= " <B>Edit diary entry:</B><BR>\n";
$output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"15\" NAME=\"text\">". stripslashes($diary->text) ."</TEXTAREA><BR>\n";
- $output .= " <SMALL><I>Allowed HTML tags: ". htmlspecialchars($allowed_html) ."</I></SMALL>\n";
+ $output .= " <SMALL><I>Allowed HTML tags: ". htmlspecialchars($allowed_html) .".</I></SMALL>\n";
$output .= "</P>\n";
$output .= "<P>\n";
@@ -127,7 +127,7 @@ function diary_preview($text, $timestamp, $id = 0) {
$output .= "<P>\n";
$output .= " <B>Preview diary entry:</B><BR>\n";
$output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"15\" NAME=\"text\">". stripslashes($text) ."</TEXTAREA><BR>\n";
- $output .= " <SMALL><I>Allowed HTML tags: ". htmlspecialchars($allowed_html) ."</I></SMALL>\n";
+ $output .= " <SMALL><I>Allowed HTML tags: ". htmlspecialchars($allowed_html) .".</I></SMALL>\n";
$output .= "</P>\n";
$output .= "<P>\n";
diff --git a/discussion.php b/discussion.php
index c9b31e049f1b..8a2cbd5ce336 100644
--- a/discussion.php
+++ b/discussion.php
@@ -1,7 +1,7 @@
<?
function discussion_score($comment) {
- $value = ($comments->votes) ? $comment->score / $comment->votes : $comments->score;
+ $value = ($comments->votes) ? $comment->score / $comment->votes : ($comments->score) ? $comments->score : 0;
return (strpos($value, ".")) ? substr($value ."00", 0, 4) : $value .".00";
}
@@ -21,7 +21,7 @@ function discussion_moderate($moderate) {
}
}
-function discussion_kids($cid, $mode, $order = 0, $thold = 0, $level = 0, $dummy = 0) {
+function discussion_kids($cid, $mode, $level = 0, $dummy = 0) {
global $user, $theme;
$comments = 0;
@@ -34,25 +34,22 @@ function discussion_kids($cid, $mode, $order = 0, $thold = 0, $level = 0, $dummy
if ($level && !$comments) print "<UL>";
$comments++;
- $link = "<A HREF=\"discussion.php?op=reply&sid=$comment->sid&pid=$comment->cid&mode=$mode&order=$order&thold=$thold\"><FONT COLOR=\"$theme->hlcolor2\">reply to this comment</FONT></A>";
- $theme->comment($comment->userid, stripslashes($comment->subject), stripslashes($comment->comment), $comment->timestamp, stripslashes($comment->url), stripslashes($comment->femail), $comment->score, $comment->cid, $link);
+ $link = "<A HREF=\"discussion.php?op=reply&sid=$comment->sid&pid=$comment->cid\"><FONT COLOR=\"$theme->hlcolor2\">reply to this comment</FONT></A>";
+ $theme->comment($comment->userid, stripslashes($comment->subject), stripslashes($comment->comment), $comment->timestamp, stripslashes($comment->url), stripslashes($comment->femail), discussion_score($comment), $comment->cid, $link);
- discussion_kids($comment->cid, $mode, $order, $thold, $level + 1, $dummy + 1);
+ discussion_kids($comment->cid, $mode, $level + 1, $dummy + 1);
}
}
}
elseif ($mode == "flat") {
while ($comment = db_fetch_object($result)) {
if ($comment->score >= $thold) {
- $link = "<A HREF=\"discussion.php?op=reply&sid=$comment->sid&pid=$comment->cid&mode=$mode&order=$order&thold=$thold\"><FONT COLOR=\"$theme->hlcolor2\">reply to this comment</FONT></A>";
- $theme->comment($comment->userid, check($comment->subject), check($comment->comment), $comment->timestamp, $comment->url, $comment->femail, $comment->score, $comment->cid, $link);
+ $link = "<A HREF=\"discussion.php?op=reply&sid=$comment->sid&pid=$comment->cid\"><FONT COLOR=\"$theme->hlcolor2\">reply to this comment</FONT></A>";
+ $theme->comment($comment->userid, check_output($comment->subject), check_output($comment->comment), $comment->timestamp, $comment->url, $comment->femail, discussion_score($comment), $comment->cid, $link);
}
- discussion_kids($comment->cid, $mode, $order, $thold);
+ discussion_kids($comment->cid, $mode);
}
}
- elseif ($mode == "disabled") {
- // do nothing
- }
else {
print "ERROR: we should not get here!";
}
@@ -62,8 +59,8 @@ function discussion_kids($cid, $mode, $order = 0, $thold = 0, $level = 0, $dummy
}
}
-function discussion_childs($cid, $mode, $order, $thold, $level = 0, $thread) {
- global $anonymous, $theme, $user;
+function discussion_childs($cid, $level = 0, $thread) {
+ global $theme, $user;
### Perform SQL query:
$result = db_query("SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE c.pid = $cid ORDER BY c.timestamp, c.cid");
@@ -79,16 +76,10 @@ function discussion_childs($cid, $mode, $order, $thold, $level = 0, $thread) {
$comments++;
### Compose link:
- $thread .= "<LI><A HREF=\"discussion.php?id=$comment->sid&cid=$comment->cid&pid=$comment->pid";
- $thread .= ($mode) ? "&mode=$mode" : "&mode=threaded";
- $thread .= ($order) ? "&order=$order" : "&order=0";
- $thread .= ($thold) ? "&thold=$thold" : "&thold=0";
- $thread .= "\">". check($comment->subject) ."</A> by ";
- $thread .= ($comment->userid) ? $comment->userid : $anonymous;
- $thread .= " <SMALL>(". discussion_score($comment) .")<SMALL></LI>";
+ $thread .= "<LI><A HREF=\"discussion.php?id=$comment->sid&cid=$comment->cid&pid=$comment->pid\">". check_output($comment->subject) ."</A> by ". format_username($comment->userid) ." <SMALL>(". discussion_score($comment) .")<SMALL></LI>";
### Recursive:
- discussion_childs($comment->cid, $mode, $order, $thold, $level + 1, &$thread);
+ discussion_childs($comment->cid, $level + 1, &$thread);
}
if ($level && $comments) {
@@ -98,22 +89,41 @@ function discussion_childs($cid, $mode, $order, $thold, $level = 0, $thread) {
return $thread;
}
-function discussion_display($sid, $pid, $cid, $mode, $order, $thold, $level = 0) {
+function discussion_settings($mode, $order, $thold) {
+ global $user;
+
+ if ($user) {
+ db_query("UPDATE users SET umode = '$mode', uorder = '$order', thold = '$thold' WHERE id = '$user->id'");
+ user_rehash();
+ }
+}
+
+function discussion_display($sid, $pid, $cid, $level = 0) {
global $user, $theme;
### Pre-process variables:
$pid = (empty($pid)) ? 0 : $pid;
- $cid = (empty($pid)) ? 0 : $cid;
+ $cid = (empty($cid)) ? 0 : $cid;
+ $mode = ($user) ? $user->umode : "threaded";
+ $order = ($user) ? $user->uorder : "1";
+ $thold = ($user) ? $user->thold : "0";
### Compose story-query:
- $result = db_query("SELECT stories.*, users.userid FROM stories LEFT JOIN users ON stories.author = users.id WHERE stories.status != 0 AND stories.id = $sid");
+ $result = db_query("SELECT s.*, u.userid FROM stories s LEFT JOIN users u ON s.author = u.id WHERE s.status != 0 AND s.id = $sid");
$story = db_fetch_object($result);
### Display story:
- $theme->article($story, "[ <A HREF=\"\"><FONT COLOR=\"$theme->hlcolor2\">home</FONT></A> | <A HREF=\"discussion.php?op=reply&sid=$story->id&pid=0\"><FONT COLOR=\"$theme->hlcolor2\">add a comment</FONT></A> ]");
+ if ($story->status == 1) {
+ $theme->article($story, "[ <A HREF=\"submission.php\"><FONT COLOR=\"$theme->hlcolor2\">submission queue</FONT></A> | <A HREF=\"discussion.php?op=reply&sid=$story->id&pid=0\"><FONT COLOR=\"$theme->hlcolor2\">add a comment</FONT></A> ]");
+ }
+ else {
+ $theme->article($story, "[ <A HREF=\"\"><FONT COLOR=\"$theme->hlcolor2\">home</FONT></A> | <A HREF=\"discussion.php?op=reply&sid=$story->id&pid=0\"><FONT COLOR=\"$theme->hlcolor2\">add a comment</FONT></A> ]");
+ }
### Display `comment control'-box:
- $theme->commentControl($sid, $title, $thold, $mode, $order);
+ if ($user) {
+ $theme->commentControl($sid, $title, $thold, $mode, $order);
+ }
### Compose query:
$query = "SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE c.sid = $sid AND c.pid = $pid";
@@ -132,20 +142,20 @@ function discussion_display($sid, $pid, $cid, $mode, $order, $thold, $level = 0)
### Dynamically compose the `reply'-link:
if ($pid != 0) {
list($pid) = mysql_fetch_row(mysql_query("SELECT pid FROM comments WHERE cid = $comment->pid"));
- $link = "<A HREF=\"discussion.php?id=$comment->sid&pid=$pid&mode=$mode&order=$order&thold=$thold\"><FONT COLOR=\"$theme->hlcolor2\">return to parent</FONT></A> | <A HREF=\"discussion.php?op=reply&sid=$comment->sid&pid=$comment->cid&mode=$mode&order=$order&thold=$thold\"><FONT COLOR=\"$theme->hlcolor2\">reply to this comment</FONT></A>";
+ $link = "<A HREF=\"discussion.php?id=$comment->sid&pid=$pid\"><FONT COLOR=\"$theme->hlcolor2\">return to parent</FONT></A> | <A HREF=\"discussion.php?op=reply&sid=$comment->sid&pid=$comment->cid\"><FONT COLOR=\"$theme->hlcolor2\">reply to this comment</FONT></A>";
}
else {
- $link = "<A HREF=\"discussion.php?op=reply&sid=$comment->sid&pid=$comment->cid&mode=$mode&order=$order&thold=$thold\"><FONT COLOR=\"$theme->hlcolor2\">reply to this comment</FONT></A> ";
+ $link = "<A HREF=\"discussion.php?op=reply&sid=$comment->sid&pid=$comment->cid\"><FONT COLOR=\"$theme->hlcolor2\">reply to this comment</FONT></A> ";
}
### Display the comments:
if (empty($mode) || $mode == "threaded") {
- $thread = discussion_childs($comment->cid, $mode, $order, $thold);
- $theme->comment($comment->userid, check($comment->subject), check($comment->comment), $comment->timestamp, $comment->url, $comment->femail, $comment->score, $comment->cid, $link, $thread);
+ $thread = discussion_childs($comment->cid);
+ $theme->comment($comment->userid, check_output($comment->subject), check_output($comment->comment), $comment->timestamp, $comment->url, $comment->femail, $comment->score, $comment->cid, $link, $thread);
}
else {
- $theme->comment($comment->userid, check($comment->subject), check($comment->comment), $comment->timestamp, $comment->url, $comment->femail, $comment->score, $comment->cid, $link);
- discussion_kids($comment->cid, $mode, $order, $thold, $level);
+ $theme->comment($comment->userid, check_output($comment->subject), check_output($comment->comment), $comment->timestamp, $comment->url, $comment->femail, $comment->score, $comment->cid, $link);
+ discussion_kids($comment->cid, $mode, $level);
}
}
@@ -154,13 +164,13 @@ function discussion_display($sid, $pid, $cid, $mode, $order, $thold, $level = 0)
print "</FORM>\n";
}
-function discussion_reply($pid, $sid, $mode, $order, $thold) {
+function discussion_reply($pid, $sid) {
global $anonymous, $user, $theme;
### Extract parent-information/data:
if ($pid) {
$item = db_fetch_object(db_query("SELECT comments.*, users.userid FROM comments LEFT JOIN users ON comments.author = users.id WHERE comments.cid = $pid"));
- $theme->comment($item->userid, check(stripslashes($item->subject)), check(stripslashes($item->comment)), $item->timestamp, stripslashes($item->url), stripslashes($item->femail), $item->score, $item->cid, "reply to this comment");
+ $theme->comment($item->userid, check_output(stripslashes($item->subject)), check_output(stripslashes($item->comment)), $item->timestamp, stripslashes($item->url), stripslashes($item->femail), $item->score, $item->cid, "reply to this comment");
}
else {
$item = db_fetch_object(db_query("SELECT stories.*, users.userid FROM stories LEFT JOIN users ON stories.author = users.id WHERE stories.status != 0 AND stories.id = $sid"));
@@ -187,23 +197,18 @@ function discussion_reply($pid, $sid, $mode, $order, $thold) {
### Subject field:
$output .= "<P>\n";
$output .= " <B>Subject:</B><BR>\n";
- if (!eregi("Re:",$item->subject)) $item->subject = "Re: $item->subject";
- // Only one 'Re:' will just do fine. ;)
- $output .= " <INPUT TYPE=\"text\" NAME=\"subject\" SIZE=\"50\" MAXLENGTH=\"60\" VALUE=\"". stripslashes($item->subject) ."\">\n";
+ $output .= " <INPUT TYPE=\"text\" NAME=\"subject\" SIZE=\"50\" MAXLENGTH=\"60\">\n";
$output .= "</P>\n";
### Comment field:
$output .= "<P>\n";
$output .= " <B>Comment:</B><BR>\n";
- $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"comment\">". stripslashes($user->signature) ."</TEXTAREA><BR>\n";
+ $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"comment\">". check_input($user->signature) ."</TEXTAREA><BR>\n";
$output .= "</P>\n";
### Hidden fields:
$output .= "<INPUT TYPE=\"hidden\" NAME=\"pid\" VALUE=\"$pid\">\n";
$output .= "<INPUT TYPE=\"hidden\" NAME=\"sid\" VALUE=\"$sid\">\n";
- $output .= "<INPUT TYPE=\"hidden\" NAME=\"mode\" VALUE=\"$mode\">\n";
- $output .= "<INPUT TYPE=\"hidden\" NAME=\"order\" VALUE=\"$order\">\n";
- $output .= "<INPUT TYPE=\"hidden\" NAME=\"thold\" VALUE=\"$thold\">\n";
### Preview button:
$output .= "<INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"Preview comment\"> (You must preview at least once before you can submit.)\n";
@@ -212,12 +217,12 @@ function discussion_reply($pid, $sid, $mode, $order, $thold) {
$theme->box("Reply", $output);
}
-function comment_preview($pid, $sid, $subject, $comment, $mode, $order, $thold) {
+function comment_preview($pid, $sid, $subject, $comment) {
global $anonymous, $user, $theme;
### Preview comment:
- if ($user) $theme->comment("", check(stripslashes($subject)), check(stripslashes($comment)), time(), "", "", "na", "", "reply to this comment");
- else $theme->comment($user->userid, check(stripslashes($subject)), check(stripslashes($comment)), time(), stripslashes($user->url), stripslashes($user->femail), "na", "", "reply to this comment");
+ if ($user) $theme->comment("", check_output(stripslashes($subject)), check_output(stripslashes($comment)), time(), "", "", "na", "", "reply to this comment");
+ else $theme->comment($user->userid, check_output(stripslashes($subject)), check_output(stripslashes($comment)), time(), stripslashes($user->url), stripslashes($user->femail), "na", "", "reply to this comment");
### Build reply form:
$output .= "<FORM ACTION=\"discussion.php\" METHOD=\"post\">\n";
@@ -239,41 +244,36 @@ function comment_preview($pid, $sid, $subject, $comment, $mode, $order, $thold)
### Subject field:
$output .= "<P>\n";
$output .= " <B>Subject:</B><BR>\n";
- $output .= " <INPUT TYPE=\"text\" NAME=\"subject\" SIZE=\"50\" MAXLENGTH=\"60\" VALUE=\"". stripslashes($subject) ."\">\n";
+ $output .= " <INPUT TYPE=\"text\" NAME=\"subject\" SIZE=\"50\" MAXLENGTH=\"60\" VALUE=\"". check_input($subject) ."\">\n";
$output .= "</P>\n";
### Comment field:
$output .= "<P>\n";
$output .= " <B>Comment:</B><BR>\n";
- $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"comment\">". stripslashes($comment) ."</TEXTAREA><BR>\n";
+ $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"comment\">". check_input($comment) ."</TEXTAREA><BR>\n";
$output .= "</P>\n";
### Hidden fields:
$output .= "<INPUT TYPE=\"hidden\" NAME=\"pid\" VALUE=\"$pid\">\n";
$output .= "<INPUT TYPE=\"hidden\" NAME=\"sid\" VALUE=\"$sid\">\n";
- $output .= "<INPUT TYPE=\"hidden\" NAME=\"mode\" VALUE=\"$mode\">\n";
- $output .= "<INPUT TYPE=\"hidden\" NAME=\"order\" VALUE=\"$order\">\n";
- $output .= "<INPUT TYPE=\"hidden\" NAME=\"thold\" VALUE=\"$thold\">\n";
- ### Preview and submit buttons:
if (empty($subject)) {
$output .= "<P>\n";
$output .= " <FONT COLOR=\"red\"><B>Warning:</B></FONT> you did not supply a <U>subject</U>.\n";
$outout .= "</P>\n";
- $output .= "<P>\n";
- $output .= " <INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"Preview comment\">\n";
- $output .= "</P>\n";
- }
- else {
- $output .= "<INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"Preview comment\">\n";
- $output .= "<INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"Post comment\">\n";
- $output .= "</FORM>\n";
}
+ ### Preview and submit button:
+ $output .= "<P>\n";
+ $output .= " <INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"Preview comment\">\n";
+ $output .= " <INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"Post comment\">\n";
+ $output .= " </FORM>\n";
+ $output .= "</P>\n";
+
$theme->box("Reply", $output);
}
-function comment_post($pid, $sid, $subject, $comment, $mode, $order, $thold) {
+function comment_post($pid, $sid, $subject, $comment) {
global $user, $theme;
### Check for fake threads:
@@ -283,30 +283,22 @@ function comment_post($pid, $sid, $subject, $comment, $mode, $order, $thold) {
$duplicate = db_result(db_query("SELECT COUNT(*) FROM comments WHERE pid = '$pid' AND sid = '$sid' AND subject = '". addslashes($subject) ."' AND comment = '". addslashes($comment) ."'"), 0);
if ($fake != 1) {
+ watchdog(3, "attemp to insert fake comment");
$theme->box("fake comment", "fake comment: $fake");
}
elseif ($duplicate != 0) {
+ watchdog(3, "attemp to insert duplicate comment");
$theme->box("duplicate comment", "duplicate comment: $duplicate");
}
else {
- if ($user) {
- ### Add comment to database:
- db_insert("INSERT INTO comments (pid, sid, author, subject, comment, hostname, timestamp) VALUES ($pid, $sid, $user->id, '". addslashes($subject) ."', '". addslashes($comment) ."', '". getenv("REMOTE_ADDR") ."', '". time() ."')");
-
- ### Compose header:
- $header = "discussion.php?id=$sid";
- $header .= ($mode) ? "&mode=$mode" : "&mode=threaded";
- $header .= ($order) ? "&order=$order" : "&order=0";
- $header .= ($thold) ? "&thold=$thold" : "&thold=0";
- }
- else {
- ### Add comment to database:
- db_insert("INSERT INTO comments (pid, sid, subject, comment, hostname, timestamp) VALUES ($pid, $sid, '". addslashes($subject) ."', '". addslashes($comment) ."', '". getenv("REMOTE_ADDR") ."', '". time() ."')");
+ ### Validate subject:
+ $subject = ($subject) ? $subject : substr($comment, 0, 29);
- ### Compose header:
- $header .= "discussion.php?id=$sid&mode=threaded&order=1&thold=0";
- }
- header("Location: $header");
+ ### Add comment to database:
+ db_insert("INSERT INTO comments (pid, sid, author, subject, comment, hostname, timestamp) VALUES ($pid, $sid, $user->id, '". addslashes($subject) ."', '". addslashes($comment) ."', '". getenv("REMOTE_ADDR") ."', '". time() ."')");
+
+ ### Compose header:
+ header("Location: discussion.php?id=$sid");
}
}
@@ -314,30 +306,35 @@ function comment_post($pid, $sid, $subject, $comment, $mode, $order, $thold) {
include "config.inc";
include "theme.inc";
-if ($save) {
- db_query("UPDATE users SET umode = '$mode', uorder = '$order', thold = '$thold' where id = '$user->id'");
- $user->rehash();
-}
-
switch($op) {
case "Preview comment":
$theme->header();
- comment_preview($pid, $sid, $subject, $comment, $mode, $order, $thold);
+ comment_preview($pid, $sid, $subject, $comment);
$theme->footer();
break;
case "Post comment":
- comment_post($pid, $sid, $subject, $comment, $mode, $order, $thold);
+ comment_post($pid, $sid, $subject, $comment);
break;
case "reply":
$theme->header();
- discussion_reply($pid, $sid, $mode, $order, $thold);
+ discussion_reply($pid, $sid);
+ $theme->footer();
+ break;
+ case "Save":
+ discussion_settings($mode, $order, $thold);
+ $theme->header();
+ discussion_display($id, $pid, $sid);
$theme->footer();
break;
case "Moderate comments":
discussion_moderate($moderate);
+ $theme->header();
+ discussion_display($id, $pid, $sid);
+ $theme->footer();
+ break;
default:
$theme->header();
- discussion_display($id, $pid, $sid, $mode, $order, $thold);
+ discussion_display($id, $pid, $sid);
$theme->footer();
}
diff --git a/faq.php b/faq.php
index baf3c0f7026b..1cf4aa3ecb9c 100644
--- a/faq.php
+++ b/faq.php
@@ -29,7 +29,7 @@
<DD>Comments that gain the approbation of participants gradually move up through statistical effects and pointless comments sink into oblivion.<P>--- under construction ---<P>Hence, the purpose of comment moderation is two-fold: <UL><LI>To bring the really good comments to everyone's attention.</LI><LI>To hide or get get rid of spam, flamebait and trolls.</LI></UL>In the latter, comment moderation provides a technical solution to a social problem.<P></DD>
<DT><B>Why would I want to create a user account?</B></DT>
- <DD>No $sitename participant can use his own name or handle to post comments until they sign up and submit their e-mail address. Those who do not may participate as `$anonymous', but they will suffer numerous disadvantages, not the least that their posts begin at a lower score.<P>In contrast, those with a user account can use their own name or handle and are granted various priveleges: the most important is probably the ability to moderate new submissions and to rate comments. Also, registered users can tune the site to their personal needs. For instance: they can select one of the available themes to alter the look-and-feel of the site or they fine-tune the values of various settings to their likings.<P></DD>
+ <DD>No $sitename participant can use his own name or handle to post comments until they sign up and submit their e-mail address. Those who do not may participate as `$anonymous', but they will suffer numerous disadvantages, not the least that their posts begin at a lower score.<P>In contrast, those with a user account can use their own name or handle and are granted various priveleges: the most important is probably the ability to moderate new submissions and to rate comments. Also, registered users can tune the site to their personal needs. For instance: they can select one of the available themes to alter the look-and-feel of the site or they can fine-tune the values of various settings to their likings.<P></DD>
<DT><B>I forgot my password, what do I do?</B></DT>
<DD>--- under construction ---<P></DD>
diff --git a/function.inc b/function.inc
index 957ddf2ac9da..2c69e4fb9b94 100644
--- a/function.inc
+++ b/function.inc
@@ -21,15 +21,11 @@ function dbsave($dbase, $data, $id=0) {
else { db_query("INSERT INTO $dbase SET $query") or die(mysql_error()); return mysql_insert_id(); }
}
-function FixQuotes ($what = "") {
- $what = ereg_replace("'","''",$what);
- while (eregi("\\\\'", $what)) {
- $what = ereg_replace("\\\\'","'",$what);
- }
- return $what;
+function check_input($message) {
+ return str_replace("\"", """, stripslashes($message));
}
-function check($message) {
+function check_output($message) {
include "config.inc";
return nl2br(strip_tags(stripslashes($message), $allowed_html));
}
diff --git a/search.php b/search.php
index c84325d58e0b..fb616cab0b95 100644
--- a/search.php
+++ b/search.php
@@ -53,7 +53,7 @@
while ($entry = db_fetch_object($result)) {
$num++;
- $output .= "<P>$num) <B>". format_story_link($entry) ."</B> (". format_plural($entry->comments, "comment", comments) .")<BR><SMALL>by ". format_username($entry->userid) ."</B>, posted on ". format_date($entry->timestamp) .".</SMALL></P>\n";
+ $output .= "<P>$num) <B><A HREF=\"discussion.php?id=$entry->id\">$entry->subject</A></B> (". format_plural($entry->comments, "comment", comments) .")<BR><SMALL>by ". format_username($entry->userid) ."</B>, posted on ". format_date($entry->timestamp) .".</SMALL></P>\n";
}
if ($num == 0) $output .= "<P>Your search did <B>not</B> match any articles in our database: <UL><LI>Try using fewer words.</LI><LI>Try using more general keywords.</LI><LI>Try using different keywords.</LI></UL></P>\n";
diff --git a/submit.php b/submit.php
index 60b761c1becb..b921c6a3f89c 100644
--- a/submit.php
+++ b/submit.php
@@ -1,7 +1,7 @@
<?
function submit_enter() {
- global $anonymous, $categories, $theme, $user;
+ global $anonymous, $categories, $allowed_html, $theme, $user;
### Guidlines:
$output .= "<P>Got some news or some thoughts you would like to share? Fill out this form and they will automatically get whisked away to our submission queue where our moderators will frown at it, poke at it and hopefully post it. Every registered user is automatically a moderator and can vote whether or not your sumbission should be carried to the front page for discussion.</P>\n";
@@ -12,7 +12,7 @@ function submit_enter() {
$output .= "<FORM ACTION=\"submit.php\" METHOD=\"post\">\n";
$output .= "<P>\n <B>Your name:</B><BR>\n";
- if ($user->id) $output .= " <A HREF=\"account.php\">$user->userid</A> <SMALL>[ <A HREF=\"account.php?op=logout\">logout</A> ]</SMALL>\n";
+ if ($user->id) $output .= " $user->userid <SMALL>[ <A HREF=\"account.php\">edit</A> | <A HREF=\"account.php?op=logout\">logout</A> ]</SMALL>\n";
else $output .= " $anonymous <SMALL>[ <A HREF=\"account.php\">login</A> | <A HREF=\"account.php\">create an account</A> ]</SMALL>\n";
$output .= "</P>\n";
@@ -35,13 +35,13 @@ function submit_enter() {
$output .= "<P>\n";
$output .= " <B>Abstract:</B><BR>\n";
$output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"abstract\" MAXLENGTH=\"20\"></TEXTAREA><BR>\n";
- $output .= " <SMALL><I>HTML is nice and dandy, but double check those URLs and HTML tags!</I></SMALL>\n";
+ $output .= " <SMALL><I>Allowed HTML tags: ". htmlspecialchars($allowed_html) .".</I></SMALL>\n";
$output .= "</P>\n";
$output .= "<P>\n";
$output .= " <B>Extended story:</B><BR>\n";
$output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"15\" NAME=\"article\"></TEXTAREA><BR>\n";
- $output .= " <SMALL><I>HTML is nice and dandy, but double check those URLs and HTML tags!</I></SMALL>\n";
+ $output .= " <SMALL><I>Allowed HTML tags: ". htmlspecialchars($allowed_html) .".</I></SMALL>\n";
$output .= "</P>\n";
$output .= "<P>\n";
@@ -57,19 +57,19 @@ function submit_enter() {
}
function submit_preview($subject, $abstract, $article, $category) {
- global $anonymous, $categories, $theme, $user;
+ global $anonymous, $categories, $allowed_html, $theme, $user;
$output .= "<FORM ACTION=\"submit.php\" METHOD=\"post\">\n";
$output .= "<P>\n";
$output .= " <B>Your name:</B><BR>\n";
- if ($user->id) $output .= " <A HREF=\"account.php\">$user->userid</A> <SMALL> [ <A HREF=\"account.php?op=logout\">logout</A> ]</SMALL>\n";
+ if ($user->id) $output .= " $user->userid <SMALL> [ <A HREF=\"account.php\">edit</A> | <A HREF=\"account.php?op=logout\">logout</A> ]</SMALL>\n";
else $output .= " $anonymous <SMALL>[ <A HREF=\"account.php\">login</A> | <A HREF=\"account.php\">create an account</A> ]</SMALL>\n";
$output .= "</P>\n";
$output .= "<P>\n";
$output .= " <B>Subject:</B><BR>\n";
- $output .= " <INPUT TYPE=\"text\" NAME=\"subject\" SIZE=\"50\" MAXLENGTH=\"60\" VALUE=\"". stripslashes($subject) ."\"><BR>\n";
+ $output .= " <INPUT TYPE=\"text\" NAME=\"subject\" SIZE=\"50\" MAXLENGTH=\"60\" VALUE=\"". check_input($subject) ."\"><BR>\n";
$output .= " <SMALL><I>Bad subjects are 'Check this out!' or 'An article'. Be descriptive, clear and simple!</I></SMALL>\n";
$output .= "</P>\n";
@@ -85,14 +85,14 @@ function submit_preview($subject, $abstract, $article, $category) {
$output .= "<P>\n";
$output .= "<B>Abstract:</B><BR>\n";
- $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"abstract\">". stripslashes($abstract) ."</TEXTAREA><BR>\n";
- $output .= " <SMALL><I>HTML is nice and dandy, but double check those URLs and HTML tags!</I></SMALL>\n";
+ $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"abstract\">". check_input($abstract) ."</TEXTAREA><BR>\n";
+ $output .= " <SMALL><I>Allowed HTML tags: ". htmlspecialchars($allowed_html) .".</I></SMALL>\n";
$output .= "</P>\n";
$output .= "<P>\n";
$output .= " <B>Extended story:</B><BR>\n";
- $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"15\" NAME=\"article\">". stripslashes($article) ."</TEXTAREA><BR>\n";
- $output .= " <SMALL><I>HTML is nice and dandy, but double check those URLs and HTML tags!</I></SMALL>\n";
+ $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"15\" NAME=\"article\">". check_input($article) ."</TEXTAREA><BR>\n";
+ $output .= " <SMALL><I>Allowed HTML tags: ". htmlspecialchars($allowed_html) .".</I></SMALL>\n";
$output .= "</P>\n";
if (empty($subject)) {
@@ -120,7 +120,7 @@ function submit_preview($subject, $abstract, $article, $category) {
$output .= "</FORM>\n";
$theme->header();
- $theme->preview($user->userid, check(stripslashes($subject)), check(stripslashes($abstract)), "", check(stripslashes($article)), date("l, F d, Y - H:i A", time()), check(stripslashes($category)), "we-hate-typoes");
+ $theme->preview($user->userid, check_output(stripslashes($subject)), check_output(stripslashes($abstract)), "", check_output(stripslashes($article)), date("l, F d, Y - H:i A", time()), check_output(stripslashes($category)), "we-hate-typoes");
$theme->box("Submit a story", $output);
$theme->footer();
}
@@ -129,7 +129,7 @@ function submit_submit($subject, $abstract, $article, $category) {
global $user, $theme;
### Add submission to SQL table:
- db_insert("INSERT INTO stories (author, subject, abstract, article, category, timestamp) VALUES ('$user->id', '". check(addslashes($subject)) ."', '". check(addslashes($abstract)) ."', '". check(addslashes($article)) ."', '". check(addslashes($category)) ."', '". time() ."')");
+ db_insert("INSERT INTO stories (author, subject, abstract, article, category, timestamp) VALUES ('$user->id', '". check_output(addslashes($subject)) ."', '". check_output(addslashes($abstract)) ."', '". check_output(addslashes($article)) ."', '". check_output(addslashes($category)) ."', '". time() ."')");
### Display confirmation message:
$theme->header();
diff --git a/template.inc b/template.inc
index 41090aed6be2..2b9618e96de0 100644
--- a/template.inc
+++ b/template.inc
@@ -2,7 +2,7 @@
include "user.class.php";
function display_morelink($theme, $story) {
- return ($story->article) ? "[ ". format_story_link($story, "<FONT COLOR=\"$theme->hlcolor2\"><B>read more</B></FONT>") ." | ". strlen($story->article) ." bytes | ". format_story_link($story, "<FONT COLOR=\"$theme->hlcolor2\">". format_plural($story->comments, "comment", "comments") ."</FONT>") ." ]" : "[ ". format_story_link($story, "<FONT COLOR=\"$theme->hlcolor2\">". format_plural($story->comments, "comment", "comments") ."</FONT>") ." ]";
+ return ($story->article) ? "[ <A HREF=\"discussion.php?id=$story->id\"><FONT COLOR=\"$theme->hlcolor2\"><B>read more</B></FONT></A> | ". strlen($story->article) ." bytes | <A HREF=\"discussion.php?id=$story->id\"><FONT COLOR=\"$theme->hlcolor2\">". format_plural($story->comments, "comment", "comments") ."</FONT></A> ]" : "[ <A HREF=\"discussion.php?id=$story->id\"><FONT COLOR=\"$theme->hlcolor2\">". format_plural($story->comments, "comment", "comments") ."</FONT></A> ]";
}
function displayModerationResults($theme, $story) {
diff --git a/themes/marvin/marvin.theme b/themes/marvin/marvin.theme
index 5ddf9827349e..bbceb6f9ac65 100644
--- a/themes/marvin/marvin.theme
+++ b/themes/marvin/marvin.theme
@@ -30,7 +30,7 @@ function header($title) {
<STYLE type="text/css">
<!--
BODY,TD,P,UL,LI,DIV,FORM,EM,BLOCKQUOTE { font-size: 10pt; font-family: Lucida,Verdana,Helvetica,Arial; }
- TH { font-size: 11pt; font-family: Lucida,Verdana,Helvetica,Arial; }
+ TH { font-size: 10pt; font-family: Lucida,Verdana,Helvetica,Arial; }
-->
</STYLE>
<BODY TEXT="#000000" BGCOLOR="#FFFFFF" ALINK="#CCCCCC" LINK="#665555" VLINK="#665555">
@@ -43,7 +43,7 @@ function header($title) {
<TD ALIGN="right" COLSPAN="2"><SMALL><A HREF="">home</A> | <A HREF="faq.php">faq</A> | <A HREF="diary.php">diary</A> | <A HREF="search.php">search</A> | <A HREF="submit.php">submit news</A> | <A HREF="account.php">user account</A></SMALL></TD>
</TR>
<TR>
- <TD VALIGN="top" WIDTH="500">
+ <TD VALIGN="top" WIDTH="470">
<?
}
@@ -131,8 +131,9 @@ function commentControl($sid, $title, $thold, $mode, $order) {
</TR>
<TR>
<TD ALIGN="center" BGCOLOR="<? echo "$this->bgcolor1"; ?>">
- <FORM METHOD="get" ACTION="discussion.php">
+ <FORM METHOD="post" ACTION="discussion.php">
<SMALL>
+ <INPUT TYPE="hidden" NAME="id" VALUE="<? echo "$sid"; ?>">
<SELECT NAME="thold">
<OPTION VALUE="-1" <? if ($thold == -1) { echo "SELECTED"; } ?>>Threshold: -1
<OPTION VALUE="0" <? if ($thold == 0) { echo "SELECTED"; } ?>>Threshold: 0
@@ -152,11 +153,7 @@ function commentControl($sid, $title, $thold, $mode, $order) {
<OPTION VALUE="1" <? if ($order==1) { echo "SELECTED"; } ?>>Newest first
<OPTION VALUE="2" <? if ($order==2) { echo "SELECTED"; } ?>>Highest scoring first
</SELECT>
- <INPUT TYPE="hidden" NAME="id" VALUE="<? echo "$sid"; ?>">
- <INPUT TYPE="submit" VALUE="Refresh">
- <?
- if (isset($user)) echo "<BR><CENTER><INPUT TYPE=\"checkbox\" NAME=\"save\"> Save preferences</CENTER>";
- ?>
+ <INPUT TYPE="submit" NAME="op" VALUE="Save">
</SMALL>
</FORM>
</TD>
@@ -293,7 +290,7 @@ function box($subject, $content) {
function footer() {
?>
</TD>
- <TD VALIGN="top" WIDTH="150">
+ <TD VALIGN="top" WIDTH="180">
<?
global $PHP_SELF;
--
GitLab