Commit 5fc99970 authored by Dries's avatar Dries

I just commit everything what was queued in my backlog:

- Added a basic implementation of comment moderation
- Updated and renamed my 2 themes: I removed redundant boxes and tried to
  work towards simplicity.
- Disabled the other themes as they are broken (I gave you sufficent time
  to update them).
- Removed redundant files.
- Added security checks with regard to the usage of HTML tags.
parent 6ca7f1e2
#
# Apache/PHP/site settings:
#
......@@ -37,11 +36,11 @@ ErrorDocument 500 /error.php
# Overload PHP variables:
<IfModule mod_php4.c>
php_value track_vars On
php_value php_register_globals On
php_value magic_quotes_gpc On
php_value magic_quotes_runtime Off
php_value magic_quotes_sybase Off
php_value php_register_globals 1
php_value track_vars 1
php_value magic_quotes_gpc 1
php_value magic_quotes_runtime 0
php_value magic_quotes_sybase 0
php_value session.auto_start 1
php_value session.cookie_lifetime 1728000
php_value session.gc_maxlifetime 1728000
......
......@@ -37,7 +37,7 @@ function showUser($uname) {
$output .= " <TR><TD><B>User ID:</B></TD><TD>$user->userid</TD></TR>\n";
$output .= " <TR><TD><B>Name:</B></TD><TD>$user->name</TD></TR>\n";
$output .= " <TR><TD><B>E-mail:</B></TD><TD><A HREF=\"mailto:$user->femail\">$user->femail</A></TD></TR>\n";
$output .= " <TR><TD><B>URL:</B></TD><TD><A HREF=\"$user->url\">$user->url</A></TD></TR>\n";
$output .= " <TR><TD><B>URL:</B></TD><TD><A HREF=\"$user->url\" TARGET=\"_new\">$user->url</A></TD></TR>\n";
if ($user->access > 0) $output .= "<TR><TD VALIGN=top><B>Access:</B></TD><TD>". showAccess() ."</TD></TR>\n";
$output .= " <TR><TD><B>Bio:</B></TD><TD>$user->bio</TD></TR>\n";
$output .= " <TR><TD><B>Signature:</B></TD><TD>$user->signature</TD></TR>\n";
......@@ -240,11 +240,10 @@ function account_track_comments() {
$output .= "<B>Theme:</B><BR>\n";
### Loop (dynamically) through all available themes:
$handle = opendir("themes");
while ($file = readdir($handle)) if(!ereg("^\.",$file) && file_exists("themes/$file/theme.class.php")) $options .= "<OPTION VALUE=\"$file\"". (((!empty($userinfo[theme])) && ($file == $cfg_theme)) || ($user->theme == $file) ? " SELECTED" : "") .">$file</OPTION>";
closedir($handle);
foreach ($themes as $key=>$value) {
$options .= "<OPTION VALUE=\"$key\"". (($user->theme == $key) ? " SELECTED" : "") .">$key - $value[1]</OPTION>";
}
if ($userinfo[theme]=="") $userinfo[theme] = $cfg_theme;
$output .= "<SELECT NAME=\"edit[theme]\">$options</SELECT><BR>\n";
$output .= "<I>Selecting a different theme will change the look and feel of the site.</I><P>\n";
$output .= "<B>Maximum number of stories:</B><BR>\n";
......
<?
//////////////////////////////////////////////////
// This code should go in the admin pages and is only a temporary
// placeholder untill we are going to rewrite the admin pages. If
// you have the sudden urge to integrate it into admin.php or if
// you have some time to kill ... I won't stop you. A rewrite of
// admin.php is sheduled for v0.20 anyway ...
// Like this the ban.php code I just queued it to be included into
// the new admin pages. After proper integration, this file can
// be removed.
//
// -- Dries
//////////////////////////////////////////////////
include "database.inc";
include "ban.inc";
function ban_check($mask, $category) {
$ban = ban_match($mask, $category);
print "<H3>Status:</H3>\n";
print "". ($ban ? "Matched ban '<B>$ban->mask</B>' with reason: <I>$ban->reason</I>.<P>\n" : "No matching bans for '$mask'.<P>\n") ."";
}
function ban_new($mask, $category, $reason) {
ban_add($mask, $category, $reason, &$message);
print "<H3>Status:</H3>\n";
print "$message\n";
}
function ban_display($category = "") {
global $PHP_SELF, $type;
### initialize variable:
$category = $category ? $category : 1;
### Perform query:
$result = db_query("SELECT * FROM bans WHERE type = $category ORDER BY mask");
### Generate output:
print "<H3>Active bans:</H3>\n";
print "<TABLE BORDER=\"1\" CELLPADDING=\"3\" CELLSPACING=\"0\">\n";
print " <TR>\n";
print " <TH COLSPAN=\"2\" >Active bans</TH>\n";
print " </TH>\n";
print " <TH>\n";
print " <FORM ACTION=\"$PHP_SELF\" METHOD=\"post\">\n";
print " <SELECT NAME=\"category\">\n";
for (reset($type); $cur = current($type); next($type)) {
print " <OPTION VALUE=\"$cur\"". ($cur == $category ? " SELECTED" : "") .">". key($type) ."</OPTION>\n";
}
print " </SELECT>\n";
print " <INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"Refresh\">\n";
print " </FORM>\n";
print " </TH>\n";
print " </TR>\n";
print " <TR>\n";
print " <TH>Mask</TH>\n";
print " <TH>Reason</TH>\n";
print " <TH>Operations</TH>\n";
print " </TR>\n";
while ($ban = db_fetch_object($result)) {
print " <TR><TD>$ban->mask</TD><TD>$ban->reason</TD><TD ALIGN=\"center\"><A HREF=\"$PHP_SELF?op=delete&category=$category&id=$ban->id\">delete</A></TD></TR>\n";
}
print " <TR><TD COLSPAN=\"3\"><SMALL>%: matches any number of characters, even zero characters.<BR>_: matches exactly one character.</SMALL></TD></TR>\n";
print "</TABLE>\n";
print "<BR><HR>\n";
print "<H3>Add new ban:</H3>\n";
print "<FORM ACTION=\"$PHP_SELF\" METHOD=\"post\">\n";
print "<B>Banmask:</B><BR>\n";
print "<INPUT TYPE=\"text\" NAME=\"mask\" SIZE=\"35\"><P>\n";
print "<B>Type:</B><BR>\n";
print "<SELECT NAME=\"category\"\">\n";
for (reset($type); $cur = current($type); next($type)) {
print "<OPTION VALUE=\"$cur\"". ($cur == $category ? " SELECTED" : "") .">". key($type) ."</OPTION>\n";
}
print "</SELECT><P>\n";
print "<B>Reason:</B><BR>\n";
print "<TEXTAREA NAME=\"reason\" COLS=\"35\" ROWS=\"5\"></TEXTAREA><P>\n";
print "<INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"Add ban\"><BR>\n";
print "</FORM>\n";
print "<BR><HR>\n";
print "<H3>Ban check:</H3>\n";
print "<FORM ACTION=\"$PHP_SELF\" METHOD=\"post\">\n";
print "<B>Banmask:</B><BR>\n";
print "<INPUT TYPE=\"text\" NAME=\"mask\" SIZE=\"35\"><P>\n";
print "<B>Type:</B><BR>\n";
print "<SELECT NAME=\"category\"\">\n";
for (reset($type); $cur = current($type); next($type)) {
print "<OPTION VALUE=\"$cur\"". ($cur == $category ? " SELECTED" : "") .">". key($type) ."</OPTION>\n";
}
print "</SELECT><P>\n";
print "<INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"Check ban\"><BR>\n";
print "</FORM>\n";
}
include "admin.inc";
admin_header();
switch ($op) {
case "Add ban":
ban_new($mask, $category, $reason);
ban_display($category);
break;
case "Check ban":
ban_check($mask, $category);
ban_display($category);
break;
case "delete":
ban_delete($id);
ban_display($category);
break;
default:
ban_display($category);
}
admin_footer();
?>
<?
// TEMPORARY SECURITY PATCH:
if ($user->userid != "Dries") exit();
/*
* Account administration:
*/
......
<?PHP
<?
#
# MySQL settings:
#
$dbhost = "zind.net";
$dbuname = "dries";
$dbpass = "Abc123";
$dbname = "dries";
#$dbhost = "";
#$dbhost = "zind.net";
#$dbuname = "dries";
#$dbpass = "oakley";
#$dbpass = "Abc123";
#$dbname = "dries";
$dbhost = "";
$dbuname = "dries";
$dbpass = "oakley";
$dbname = "dries";
#
# Name of the site
#
......@@ -24,7 +24,7 @@
# The contact information will be used to send out automated mails
# to users, account holders or visitors.
$contact_email = "droppies@zind.net";
$contact_signature = "Kind regards,\n\n-- the drop.org crew\nhttp://www.drop.org/";
$contact_signature = "Kind regards,\n\n-- the drop.org crew\nhttp://beta.drop.org/";
#
# Notify:
......@@ -46,36 +46,52 @@
#
# Comment meta reasons:
#
$comments_votes = array("-1" => "-1", "0" => "0", "+1" => "+ 1", "+2" => "+ 2", "+3" => "+ 3", "+4" => "+ 4", "+5" => "+ 5");
$comment_votes = array("none" => "none", "-1" => "-1", "0" => "0", "+1" => "+ 1", "+2" => "+ 2", "+3" => "+ 3", "+4" => "+ 4", "+5" => "+ 5");
#
# Categories:
#
$categories = array('Announcements', 'Arts & Humanities', 'Business & Economy', 'Coding & Webdesign', 'Computers & Internet', 'Drop.org', 'Entertainment', 'Freedom', 'Government', 'News & Media', 'Science', 'Society & Culture');
$categories = array("Announcements",
"Arts & Humanities",
"Business & Economy",
"Coding & Webdesign",
"Computers & Internet",
"Drop.org",
"Entertainment",
"Freedom",
"Government",
"News & Media",
"Science",
"Society & Culture");
#
# Allowed HTML tags:
#
$allowed_html = "<A> <B> <BR> <DD> <DL> <DT> <EM> <I> <IL> <OL> <U> <UL>";
$allowed_html = "<A><B><BR><DD><DL><DT><EM><HR><I><IL><SMALL><OL><U><UL>";
#
# Name of the 'anonymous' user account:
#
$anonymous = "Anonymous Chicken";
#
# Default theme:
# Themes:
#
$cfg_theme = "Dries";
$themes = array("Marvin" => array(
"themes/marvin/marvin.theme",
"white, simple"),
"Zaphod" => array(
"themes/zaphod/zaphod.theme",
"yellow, simple"));
#
# Submission moderation votes:
#
// NOTE: changing $submission_votes will affect the integrity of your
// database. In short, the database field user.history will
// become invalid, and will need to be reset! Please, do not
// just change this setting unless you have an empty database
// or unless you know what you are doing.
# changing $submission_votes will affect the integrity of your
# database. In short, the database field user.history will
# become invalid, and will need to be reset! Please, do not
# change this setting unless you have an empty database or
# unless you know what you are doing.
$submission_votes = array("neutral (+0)" => "+ 0",
"post it (+1)" => "+ 1",
"dump it (-1)" => "- 1");
......
......@@ -11,7 +11,14 @@ function db_connect() {
include "config.inc";
mysql_pconnect($dbhost, $dbuname, $dbpass) or die(mysql_Error());
mysql_select_db("$dbname") or die ("Unable to select database");
// Note: we are using a persistent connection!
// NOTE: we are using a persistent connection!
}
function db_insert($query, $debug = false) {
// NOTE:
// add spam- and/or flood-checks
db_query($query, $debug);
}
function db_query($query, $debug = false) {
......
......@@ -19,7 +19,7 @@ function diary_overview($num = 20) {
$output .= "<DL>\n";
$output .= " <DD><P><B>$diary->userid wrote:</B></P></DD>\n";
$output .= " <DL>\n";
$output .= " <DD><P>$diary->text</P><P>[ <A HREF=\"diary.php?op=view&name=$diary->userid\">more</A> ]</P></DD>\n";
$output .= " <DD><P>". check($diary->text) ."</P><P>[ <A HREF=\"diary.php?op=view&name=$diary->userid\">more</A> ]</P></DD>\n";
$output .= " </DL>\n";
$output .= "</DL>\n";
}
......@@ -34,13 +34,13 @@ function diary_entry($timestamp, $text, $id = 0) {
if ($id) {
$output .= "<DL>\n";
$output .= " <DT><B>". date("l, F jS", $timestamp) .":</B> </DT>\n";
$output .= " <DD><P>[ <A HREF=\"diary.php?op=edit&id=$id\">edit</A> ]</P><P>$text</P></DD>\n";
$output .= " <DD><P>[ <A HREF=\"diary.php?op=edit&id=$id\">edit</A> ]</P><P>". check($text) ."</P></DD>\n";
$output .= "</DL>\n";
}
else {
$output .= "<DL>\n";
$output .= " <DT><B>". date("l, F jS", $timestamp) .":</B></DT>\n";
$output .= " <DD><P>$text</P></DD>\n";
$output .= " <DD><P>". check($text) ."</P></DD>\n";
$output .= "</DL>\n";
}
return $output;
......@@ -65,7 +65,7 @@ function diary_display($username) {
$theme->footer();
}
function diary_add_enter() {
function diary_add() {
global $theme, $user, $allowed_html;
### Submission form:
......@@ -88,13 +88,13 @@ function diary_add_enter() {
$theme->footer();
}
function diary_edit_enter($id) {
function diary_edit($id) {
global $theme, $user, $allowed_html;
$result = db_query("SELECT * FROM diaries WHERE id = $id");
$diary = db_fetch_object($result);
$output .= diary_entry($diary->timestamp, check($diary->text));
$output .= diary_entry($diary->timestamp, $diary->text);
$output .= "<FORM ACTION=\"diary.php\" METHOD=\"post\">\n";
......@@ -106,7 +106,7 @@ function diary_edit_enter($id) {
$output .= "<P>\n";
$output .= " <INPUT TYPE=\"hidden\" NAME=\"id\" VALUE=\"$diary->id\">\n";
$output .= " <INPUT TYPE=\"hidden\" NAME=\"timestamp\" VALUE=\"$diary->timestamp\">\n";
$output .= " <INPUT TYPE=\"hidden\" NAME=\"timesamp\" VALUE=\"$diary->timestamp\">\n";
$output .= " <INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"Preview diary entry\"> <INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"Submit diary entry\">\n";
$output .= "</P>\n";
......@@ -120,7 +120,7 @@ function diary_edit_enter($id) {
function diary_preview($text, $timestamp, $id = 0) {
global $theme, $user, $allowed_html;
$output .= diary_entry($timestamp, check($text));
$output .= diary_entry($timestamp, $text);
$output .= "<FORM ACTION=\"diary.php\" METHOD=\"post\">\n";
......@@ -146,11 +146,11 @@ function diary_submit($text, $id = 0) {
global $user, $theme;
if ($id) {
db_query("UPDATE diaries SET text = '". check(addslashes($text)) ."' WHERE id = $id");
db_query("UPDATE diaries SET text = '". addslashes($text) ."' WHERE id = $id");
watchdog(1, "old diary entry updated");
}
else {
db_query("INSERT INTO diaries (author, text, timestamp) VALUES ('$user->id', '". check(addslashes($text)) ."', '". time() ."')");
db_query("INSERT INTO diaries (author, text, timestamp) VALUES ('$user->id', '". addslashes($text) ."', '". time() ."')");
watchdog(1, "new diary entry added");
}
header("Location: diary.php?op=view&name=$user->userid");
......@@ -159,10 +159,10 @@ function diary_submit($text, $id = 0) {
switch($op) {
case "add":
diary_add_enter();
diary_add();
break;
case "edit":
diary_edit_enter($id);
diary_edit($id);
break;
case "view":
diary_display($name);
......
<?
function comments_kids ($cid, $mode, $order = 0, $thold = 0, $level = 0, $dummy = 0) {
function discussion_score($comment) {
$value = ($comments->votes) ? $comment->score / $comment->votes : $comments->score;
return (strpos($value, ".")) ? substr($value ."00", 0, 4) : $value .".00";
}
function discussion_moderate($moderate) {
global $user, $comment_votes;
$na = $comment_votes[key($comment_votes)];
foreach ($moderate as $id=>$vote) {
if ($user && $vote != $comment_votes[$na] && !user_getHistory($user->history, "c$id")) {
### Update the comment's score:
$result = db_query("UPDATE comments SET score = score $vote, votes = votes + 1 WHERE cid = $id");
### Update the user's history:
user_setHistory($user, "c$id", $vote);
}
}
}
function discussion_kids($cid, $mode, $order = 0, $thold = 0, $level = 0, $dummy = 0) {
global $user, $theme;
$comments = 0;
......@@ -16,7 +37,7 @@ function comments_kids ($cid, $mode, $order = 0, $thold = 0, $level = 0, $dummy
$link = "<A HREF=\"discussion.php?op=reply&sid=$comment->sid&pid=$comment->cid&mode=$mode&order=$order&thold=$thold\"><FONT COLOR=\"$theme->hlcolor2\">reply to this comment</FONT></A>";
$theme->comment($comment->userid, stripslashes($comment->subject), stripslashes($comment->comment), $comment->timestamp, stripslashes($comment->url), stripslashes($comment->femail), $comment->score, $comment->cid, $link);
comments_kids($comment->cid, $mode, $order, $thold, $level + 1, $dummy + 1);
discussion_kids($comment->cid, $mode, $order, $thold, $level + 1, $dummy + 1);
}
}
}
......@@ -24,9 +45,9 @@ function comments_kids ($cid, $mode, $order = 0, $thold = 0, $level = 0, $dummy
while ($comment = db_fetch_object($result)) {
if ($comment->score >= $thold) {
$link = "<A HREF=\"discussion.php?op=reply&sid=$comment->sid&pid=$comment->cid&mode=$mode&order=$order&thold=$thold\"><FONT COLOR=\"$theme->hlcolor2\">reply to this comment</FONT></A>";
$theme->comment($comment->userid, $comment->subject, $comment->comment, $comment->timestamp, $comment->url, $comment->femail, $comment->score, $comment->cid, $link);
$theme->comment($comment->userid, check($comment->subject), check($comment->comment), $comment->timestamp, $comment->url, $comment->femail, $comment->score, $comment->cid, $link);
}
comments_kids($comment->cid, $mode, $order, $thold);
discussion_kids($comment->cid, $mode, $order, $thold);
}
}
elseif ($mode == "disabled") {
......@@ -41,7 +62,7 @@ function comments_kids ($cid, $mode, $order = 0, $thold = 0, $level = 0, $dummy
}
}
function comments_childs($cid, $mode, $order, $thold, $level = 0, $thread) {
function discussion_childs($cid, $mode, $order, $thold, $level = 0, $thread) {
global $anonymous, $theme, $user;
### Perform SQL query:
......@@ -62,12 +83,12 @@ function comments_childs($cid, $mode, $order, $thold, $level = 0, $thread) {
$thread .= ($mode) ? "&mode=$mode" : "&mode=threaded";
$thread .= ($order) ? "&order=$order" : "&order=0";
$thread .= ($thold) ? "&thold=$thold" : "&thold=0";
$thread .= "\">$comment->subject</A> by ";
$thread .= "\">". check($comment->subject) ."</A> by ";
$thread .= ($comment->userid) ? $comment->userid : $anonymous;
$thread .= " <SMALL>(". date("D, M d, Y - H:i:s", $comment->timestamp) .")<SMALL></LI>";
$thread .= " <SMALL>(". discussion_score($comment) .")<SMALL></LI>";
### Recursive:
comments_childs($comment->cid, $mode, $order, $thold, $level + 1, &$thread);
discussion_childs($comment->cid, $mode, $order, $thold, $level + 1, &$thread);
}
if ($level && $comments) {
......@@ -77,7 +98,7 @@ function comments_childs($cid, $mode, $order, $thold, $level = 0, $thread) {
return $thread;
}
function comments_display($sid, $pid, $cid, $mode, $order, $thold, $level = 0) {
function discussion_display($sid, $pid, $cid, $mode, $order, $thold, $level = 0) {
global $user, $theme;
### Pre-process variables:
......@@ -104,6 +125,8 @@ function comments_display($sid, $pid, $cid, $mode, $order, $thold, $level = 0) {
if ($order == 2) $query .= " ORDER BY c.score DESC";
$result = db_query("$query");
print "<FORM METHOD=\"post\" ACTION=\"discussion.php\">\n";
### Display the comments:
while ($comment = db_fetch_object($result)) {
### Dynamically compose the `reply'-link:
......@@ -117,23 +140,27 @@ function comments_display($sid, $pid, $cid, $mode, $order, $thold, $level = 0) {
### Display the comments:
if (empty($mode) || $mode == "threaded") {
$thread = comments_childs($comment->cid, $mode, $order, $thold);
$theme->comment($comment->userid, $comment->subject, $comment->comment, $comment->timestamp, $comment->url, $comment->femail, $comment->score, $comment->cid, $link, $thread);
$thread = discussion_childs($comment->cid, $mode, $order, $thold);
$theme->comment($comment->userid, check($comment->subject), check($comment->comment), $comment->timestamp, $comment->url, $comment->femail, $comment->score, $comment->cid, $link, $thread);
}
else {
$theme->comment($comment->userid, $comment->subject, $comment->comment, $comment->timestamp, $comment->url, $comment->femail, $comment->score, $comment->cid, $link);
comments_kids($comment->cid, $mode, $order, $thold, $level);
$theme->comment($comment->userid, check($comment->subject), check($comment->comment), $comment->timestamp, $comment->url, $comment->femail, $comment->score, $comment->cid, $link);
discussion_kids($comment->cid, $mode, $order, $thold, $level);
}
}
print " <INPUT TYPE=\"hidden\" NAME=\"id\" VALUE=\"$sid\">\n";
print " <INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"Moderate comments\">\n";
print "</FORM>\n";
}
function comments_reply($pid, $sid, $mode, $order, $thold) {
function discussion_reply($pid, $sid, $mode, $order, $thold) {
global $anonymous, $user, $theme;
### Extract parent-information/data:
if ($pid) {
$item = db_fetch_object(db_query("SELECT comments.*, users.userid FROM comments LEFT JOIN users ON comments.author = users.id WHERE comments.cid = $pid"));
$theme->comment($item->userid, stripslashes($item->subject), stripslashes($item->comment), $item->timestamp, stripslashes($item->url), stripslashes($item->femail), $item->score, $item->cid, "reply to this comment");
$theme->comment($item->userid, check(stripslashes($item->subject)), check(stripslashes($item->comment)), $item->timestamp, stripslashes($item->url), stripslashes($item->femail), $item->score, $item->cid, "reply to this comment");
}
else {
$item = db_fetch_object(db_query("SELECT stories.*, users.userid FROM stories LEFT JOIN users ON stories.author = users.id WHERE stories.status != 0 AND stories.id = $sid"));
......@@ -189,8 +216,8 @@ function comment_preview($pid, $sid, $subject, $comment, $mode, $order, $thold)
global $anonymous, $user, $theme;
### Preview comment:
if ($user) $theme->comment("", stripslashes($subject), stripslashes($comment), time(), "", "", "na", "", "reply to this comment");
else $theme->comment($user->userid, stripslashes($subject), stripslashes($comment), time(), stripslashes($user->url), stripslashes($user->femail), "na", "", "reply to this comment");
if ($user) $theme->comment("", check(stripslashes($subject)), check(stripslashes($comment)), time(), "", "", "na", "", "reply to this comment");
else $theme->comment($user->userid, check(stripslashes($subject)), check(stripslashes($comment)), time(), stripslashes($user->url), stripslashes($user->femail), "na", "", "reply to this comment");
### Build reply form:
$output .= "<FORM ACTION=\"discussion.php\" METHOD=\"post\">\n";
......@@ -264,7 +291,7 @@ function comment_post($pid, $sid, $subject, $comment, $mode, $order, $thold) {
else {
if ($user) {
### Add comment to database:
db_query("INSERT INTO comments (pid, sid, author, subject, comment, hostname, timestamp) VALUES ($pid, $sid, $user->id, '". addslashes($subject) ."', '". addslashes($comment) ."', '". getenv("REMOTE_ADDR") ."', '". time() ."')");
db_insert("INSERT INTO comments (pid, sid, author, subject, comment, hostname, timestamp) VALUES ($pid, $sid, $user->id, '". addslashes($subject) ."', '". addslashes($comment) ."', '". getenv("REMOTE_ADDR") ."', '". time() ."')");
### Compose header:
$header = "discussion.php?id=$sid";
......@@ -274,7 +301,7 @@ function comment_post($pid, $sid, $subject, $comment, $mode, $order, $thold) {
}
else {
### Add comment to database:
db_query("INSERT INTO comments (pid, sid, subject, comment, hostname, timestamp) VALUES ($pid, $sid, '". addslashes($subject) ."', '". addslashes($comment) ."', '". getenv("REMOTE_ADDR") ."', '". time() ."')");
db_insert("INSERT INTO comments (pid, sid, subject, comment, hostname, timestamp) VALUES ($pid, $sid, '". addslashes($subject) ."', '". addslashes($comment) ."', '". getenv("REMOTE_ADDR") ."', '". time() ."')");
### Compose header:
$header .= "discussion.php?id=$sid&mode=threaded&order=1&thold=0";
......@@ -292,7 +319,7 @@ function comment_post($pid, $sid, $subject, $comment, $mode, $order, $thold) {
$user->rehash();
}
switch($op) {
switch($op) {
case "Preview comment":
$theme->header();
comment_preview($pid, $sid, $subject, $comment, $mode, $order, $thold);
......@@ -303,12 +330,14 @@ function comment_post($pid, $sid, $subject, $comment, $mode, $order, $thold) {
break;
case "reply":
$theme->header();
comments_reply($pid, $sid, $mode, $order, $thold);
discussion_reply($pid, $sid, $mode, $order, $thold);
$theme->footer();
break;
case "Moderate comments":
discussion_moderate($moderate);
default:
$theme->header();
comments_display($id, $pid, $sid, $mode, $order, $thold);
discussion_display($id, $pid, $sid, $mode, $order, $thold);
$theme->footer();
}
......
......@@ -31,7 +31,7 @@ function FixQuotes ($what = "") {
function check($message) {
include "config.inc";
return strip_tags(nl2br($message), $allowed_html);
return nl2br(strip_tags($message, $allowed_html));
}
function discussion_num_replies($id, $count = 0) {
......
<?
### Include global settings:
include "config.inc";
include "function.inc";
include "authentication.inc";
include "theme.inc";
$theme->header();
/*
function addRefer($url) {
$query = "SELECT * FROM refer WHERE url = '$url'";
$result = mysql_query($query);
if ($site = mysql_fetch_object($result)) {
if ($site->status) {
$site->refers++;
$query = "UPDATE refer SET refers = '$site->refers', access_dt = '". time() ."' WHERE url = '$url'";
$result = mysql_query($query);
}
}
else {
$query = "INSERT INTO refer (url, name, refers, create_dt, access_dt) VALUES ('$url', '', '1', '". time() ."', '". time() ."')";
$result = mysql_query($query);
}
}
*/
function blockRefer($url) {
$query = "UPDATE refer SET status = '0' WHERE url = '$url'";
$result = mysql_query($query);
}
function setReferName($url, $name) {
$query = "UPDATE refer SET name = '$name' WHERE url = '$url'";
$result = mysql_query($query);
}
function deleteRefer($url) {
$query = "DELETE FROM refer WHERE url = '$url'";
$result = mysql_query($query);
}
function openRefer($url) {
$query = "UPDATE refer SET status = '1' WHERE url = '$url'";
$result = mysql_query($query);
}
function getReferArray($number = "") {
if ($number) {
$query = "SELECT * FROM refer ORDER BY refers DESC LIMIT $number";
$result = mysql_query($query);
}
else {
$query = "SELECT * FROM refer ORDER BY refers DESC";
$result = mysql_query($query);
}
$index = 0;
while ($site = mysql_fetch_object($result)) {
$rval[$index] = $site;
$index++;
}
return $rval;
}
$info = "<P>If you are not familiar with \"top sites\"-lists: we use a script that keeps track of the number of visitor your website referred to our site and we rank you according to that number. This can be a good, free way of increasing your website traffic: it is our way to give a link back to referring sites. In order to take advantage of this feature, you have to do is to use the following code when linking to our site:</P><BR><CENTER><FONT COLOR=\"orange\"><CODE>&lt;A HREF=\"http://this-site.com/<B>?url=http://www.your-website.com/</B>\"&gt;&lt;IMG SRC=\"this-site-button.gif\"&gt;&lt/A&gt;</CODE></FONT></CENTER><BR><P>By using the above line of code you will automatically participate in our referring site program. Note however that it will only work if you applied to above code correctly, that is, make sure you don't forget the <I>?url=http://www.your-website.com/</I> part. The more visitors you refer, the higher your ranking.</P><P>The highest ranked sites will be automatically included in most (if not all) our pages!</P>\n";
function referList($number = "", $detail = "0") {
$site = getReferArray($number);
$count = 1;
if ($detail) {
$rval .= "<TABLE CELLSPACING=\"2\" CELLPADDING=\"4\" WIDTH=\"100%\">\n";
$rval .= " <TR><TD><B>Rank</B></TD><TD><B>Referrals</B></TD><TD><B>URL or name</B></TD><TD NOWRAP><B>Last refer</B></TD></TR>\n";
for (reset($site); $entry = current($site); next($site)) {
$last = date("d/m/y - H:i:s", $entry->access_dt) ." &nbsp; <SMALL><I>(". round((time() - $entry->access_dt) / 86400) ." days ago)</I></SMALL>";
if ($entry->name) $rval .= " <TR><TD>$count</TD><TD>$entry->refers</TD><TD><A HREF=\"$entry->url\">$entry->name</A></TD><TD>$last</TD><TR>\n";
else $rval .= " <TR><TD>$count</TD><TD>$entry->refers</TD><TD><A HREF=\"$entry->url\">$entry->url</A></TD><TD>$last</TD></TR>\n";
$count++;
}
$rval .= "</TABLE>\n";
}
else {
for (reset($site); $entry = current($site); next($site)) {
if ($entry->name) $rval .= "$count. <A HREF=\"$entry->url\">$entry->name</A> ($entry->refers)<BR>";
else $rval .= "$count. <A HREF=\"$entry->url\">$entry->url</A> ($entry->refers)<BR>";
$count++;
}
}
return $rval;
}
function referAdmin($number = "") {
global $PHP_SELF, $bgcolor1, $bgcolor2;
$site = getReferArray($number);
$count = 1;
$rval .= "<TABLE CELLSPACING=\"2\" CELLPADDING=\"4\" WIDTH=\"100%\">\n";
$rval .= "<TR BGCOLOR=\"$bgcolor2\"><TD>#</TD><TD COLSPAN=\"2\">URL or name</TD><TD NOWRAP>First refer</TD><TD NOWRAP>Last refer</TD><TD>&nbsp;</TD><TD COLSPAN=\"3\">Commands</TD></TR>\n";
for (reset($site); $entry = current($site); next($site)) {
if ($entry->status) {
$delete = "delete";
$block = "<A HREF=\"$PHP_SELF?section=refer&method=block&url=$entry->url\">block</A>";
$status = "<FONT COLOR=\"orange\" SIZE=\"+2\">*</FONT>";
}
else {
$delete = "<A HREF=\"$PHP_SELF?section=refer&method=delete&url=$entry->url\">delete</A>";
$block = "<A HREF=\"$PHP_SELF?section=refer&method=open&url=$entry->url\">open</A>";
$status = "<FONT COLOR=\"red\" SIZE=\"+2\">*</FONT>";
}
$first = date("d/m/y - H:i:s", $entry->create_dt) ."<BR><FONT SIZE=\"-1\"><I>(". round((time() - $entry->create_dt) / 86400) ." days ago)</I></FONT>";
$last = date("d/m/y - H:i:s", $entry->access_dt) ."<BR><FONT SIZE=\"-1\"><I>(". round((time() - $entry->access_dt) / 86400) ." days ago)</I></FONT>";
if ($entry->name) $rval .= "<TR BGCOLOR=\"$bgcolor1\"><TD>$count</TD><TD><A HREF=\"$entry->url\">$entry->name</A></TD><TD>$entry->refers</TD><TD>$first</TD><TD>$last</TD><TD>$status</TD><TD>$block</TD><TD>$delete</TD><TD><A HREF=\"$PHP_SELF?section=refer&method=edit&url=$entry->url\">edit</A></TD></TR>";
else $rval .= "<TR BGCOLOR=\"$bgcolor1\"><TD>$count</TD><TD><A HREF=\"$entry->url\">$entry->url</A></TD><TD>$entry->refers</TD><TD>$first</TD><TD>$last</TD><TD>$status</TD><TD>$block</TD><TD>$delete</TD><TD><A HREF=\"$PHP_SELF?section=refer&method=edit&url=$entry->url\">edit</A></TD></TR>";
$count++;
}
$rval .= "</TABLE>\n";
return $rval;
}
/*
### log valid refers:
if (($url) && ($section != "refer") && (strstr(getenv("HTTP_REFERER"), $url))) {
addRefer($url);
}
*/
### parse URI:
if ($section == "refer") {