source: branches/2.0/comments.php @ 3519

Revision 3519, 12.2 KB checked in by vdigital, 11 years ago (diff)

Minor: prevent for non numeric values (except all)

  • Property svn:eol-style set to LF
  • Property svn:keywords set to Author Date Id Revision
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | Piwigo - a PHP based picture gallery                                  |
4// +-----------------------------------------------------------------------+
5// | Copyright(C) 2008-2009 Piwigo Team                  http://piwigo.org |
6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
23
24// +-----------------------------------------------------------------------+
25// |                           initialization                              |
26// +-----------------------------------------------------------------------+
27define('PHPWG_ROOT_PATH','./');
28include_once(PHPWG_ROOT_PATH.'include/common.inc.php');
29
30// +-----------------------------------------------------------------------+
31// | Check Access and exit when user status is not ok                      |
32// +-----------------------------------------------------------------------+
33check_status(ACCESS_GUEST);
34
35$sort_order = array(
36  'DESC' => l10n('descending'),
37  'ASC'  => l10n('ascending')
38  );
39
40// sort_by : database fields proposed for sorting comments list
41$sort_by = array(
42  'date' => l10n('comment date'),
43  'image_id' => l10n('picture')
44  );
45
46// items_number : list of number of items to display per page
47$items_number = array(5,10,20,50,'all');
48
49// since when display comments ?
50//
51$since_options = array(
52  1 => array('label' => l10n('today'),
53             'clause' => 'date > SUBDATE(CURDATE(), INTERVAL 1 DAY)'),
54  2 => array('label' => sprintf(l10n('last %d days'), 7),
55             'clause' => 'date > SUBDATE(CURDATE(), INTERVAL 7 DAY)'),
56  3 => array('label' => sprintf(l10n('last %d days'), 30),
57             'clause' => 'date > SUBDATE(CURDATE(), INTERVAL 30 DAY)'),
58  4 => array('label' => l10n('the beginning'),
59             'clause' => '1=1') // stupid but generic
60  );
61
62$page['since'] = isset($_GET['since']) ? $_GET['since'] : 4;
63
64// on which field sorting
65//
66$page['sort_by'] = 'date';
67// if the form was submitted, it overloads default behaviour
68if (isset($_GET['sort_by']) and isset($sort_by[$_GET['sort_by']]) )
69{
70  $page['sort_by'] = $_GET['sort_by'];
71}
72
73// order to sort
74//
75$page['sort_order'] = 'DESC';
76// if the form was submitted, it overloads default behaviour
77if (isset($_GET['sort_order']) and isset($sort_order[$_GET['sort_order']]))
78{
79  $page['sort_order'] = $_GET['sort_order'];
80}
81
82// number of items to display
83//
84$page['items_number'] = 10;
85if (isset($_GET['items_number']))
86{
87  $page['items_number'] = $_GET['items_number'];
88}
89if ( !is_numeric($page['items_number']) and $page['items_number']!='all' ) 
90{
91  $page['items_number'] = 10;
92}
93
94$page['where_clauses'] = array();
95
96// which category to filter on ?
97if (isset($_GET['cat']) and 0 != $_GET['cat'])
98{
99  $page['where_clauses'][] =
100    'category_id IN ('.implode(',', get_subcat_ids(array($_GET['cat']))).')';
101}
102
103// search a particular author
104if (isset($_GET['author']) and !empty($_GET['author']))
105{
106  $page['where_clauses'][] = 'com.author = \''.$_GET['author'].'\'';
107}
108
109// search a substring among comments content
110if (isset($_GET['keyword']) and !empty($_GET['keyword']))
111{
112  $page['where_clauses'][] =
113    '('.
114    implode(' AND ',
115            array_map(
116              create_function(
117                '$s',
118                'return "content LIKE \'%$s%\'";'
119                ),
120              preg_split('/[\s,;]+/', $_GET['keyword'] )
121              )
122      ).
123    ')';
124}
125
126$page['where_clauses'][] = $since_options[$page['since']]['clause'];
127
128// which status to filter on ?
129if ( !is_admin() )
130{
131  $page['where_clauses'][] = 'validated="true"';
132}
133
134$page['where_clauses'][] = get_sql_condition_FandF
135  (
136    array
137      (
138        'forbidden_categories' => 'category_id',
139        'visible_categories' => 'category_id',
140        'visible_images' => 'ic.image_id'
141      ),
142    '', true
143  );
144
145// +-----------------------------------------------------------------------+
146// |                         comments management                           |
147// +-----------------------------------------------------------------------+
148if (isset($_GET['delete']) and is_numeric($_GET['delete'])
149      and !is_adviser() )
150{// comments deletion
151  check_status(ACCESS_ADMINISTRATOR);
152  $query = '
153DELETE FROM '.COMMENTS_TABLE.'
154  WHERE id='.$_GET['delete'].'
155;';
156  pwg_query($query);
157}
158
159if (isset($_GET['validate']) and is_numeric($_GET['validate'])
160      and !is_adviser() )
161{  // comments validation
162  check_status(ACCESS_ADMINISTRATOR);
163  $query = '
164UPDATE '.COMMENTS_TABLE.'
165  SET validated = \'true\'
166  , validation_date = NOW()
167  WHERE id='.$_GET['validate'].'
168;';
169  pwg_query($query);
170}
171
172// +-----------------------------------------------------------------------+
173// |                       page header and options                         |
174// +-----------------------------------------------------------------------+
175
176$title= l10n('User comments');
177$page['body_id'] = 'theCommentsPage';
178
179$template->set_filenames(array('comments'=>'comments.tpl'));
180$template->assign(
181  array(
182    'F_ACTION'=>PHPWG_ROOT_PATH.'comments.php',
183    'F_KEYWORD'=>@htmlspecialchars(stripslashes($_GET['keyword'])),
184    'F_AUTHOR'=>@htmlspecialchars(stripslashes($_GET['author'])),
185    )
186  );
187
188// +-----------------------------------------------------------------------+
189// |                          form construction                            |
190// +-----------------------------------------------------------------------+
191
192// Search in a particular category
193$blockname = 'categories';
194
195$query = '
196SELECT id, name, uppercats, global_rank
197  FROM '.CATEGORIES_TABLE.'
198'.get_sql_condition_FandF
199  (
200    array
201      (
202        'forbidden_categories' => 'id',
203        'visible_categories' => 'id'
204      ),
205    'WHERE'
206  ).'
207;';
208display_select_cat_wrapper($query, array(@$_GET['cat']), $blockname, true);
209
210// Filter on recent comments...
211$tpl_var=array();
212foreach ($since_options as $id => $option)
213{
214  $tpl_var[ $id ] = $option['label'];
215}
216$template->assign( 'since_options', $tpl_var);
217$template->assign( 'since_options_selected', $page['since']);
218
219// Sort by
220$template->assign( 'sort_by_options', $sort_by);
221$template->assign( 'sort_by_options_selected', $page['sort_by']);
222
223// Sorting order
224$template->assign( 'sort_order_options', $sort_order);
225$template->assign( 'sort_order_options_selected', $page['sort_order']);
226
227
228// Number of items
229$blockname = 'items_number_option';
230$tpl_var=array();
231foreach ($items_number as $option)
232{
233  $tpl_var[ $option ] = is_numeric($option) ? $option : l10n($option);
234}
235$template->assign( 'item_number_options', $tpl_var);
236$template->assign( 'item_number_options_selected', $page['items_number']);
237
238
239// +-----------------------------------------------------------------------+
240// |                            navigation bar                             |
241// +-----------------------------------------------------------------------+
242
243if (isset($_GET['start']) and is_numeric($_GET['start']))
244{
245  $start = $_GET['start'];
246}
247else
248{
249  $start = 0;
250}
251
252$query = '
253SELECT COUNT(DISTINCT(id))
254  FROM '.IMAGE_CATEGORY_TABLE.' AS ic
255    INNER JOIN '.COMMENTS_TABLE.' AS com
256    ON ic.image_id = com.image_id
257  WHERE '.implode('
258    AND ', $page['where_clauses']).'
259;';
260list($counter) = mysql_fetch_row(pwg_query($query));
261
262$url = PHPWG_ROOT_PATH
263    .'comments.php'
264    .get_query_string_diff(array('start','delete','validate'));
265
266$navbar = create_navigation_bar($url,
267                                $counter,
268                                $start,
269                                $page['items_number'],
270                                '');
271
272$template->assign('NAVBAR', $navbar);
273
274// +-----------------------------------------------------------------------+
275// |                        last comments display                          |
276// +-----------------------------------------------------------------------+
277
278$comments = array();
279$element_ids = array();
280$category_ids = array();
281
282$query = '
283SELECT com.id AS comment_id
284     , com.image_id
285     , ic.category_id
286     , com.author
287     , com.date
288     , com.content
289     , com.validated
290  FROM '.IMAGE_CATEGORY_TABLE.' AS ic
291    INNER JOIN '.COMMENTS_TABLE.' AS com
292    ON ic.image_id = com.image_id
293  WHERE '.implode('
294    AND ', $page['where_clauses']).'
295  GROUP BY comment_id
296  ORDER BY '.$page['sort_by'].' '.$page['sort_order'];
297if ('all' != $page['items_number'])
298{
299  $query.= '
300  LIMIT '.$start.','.$page['items_number'];
301}
302$query.= '
303;';
304$result = pwg_query($query);
305while ($row = mysql_fetch_assoc($result))
306{
307  array_push($comments, $row);
308  array_push($element_ids, $row['image_id']);
309  array_push($category_ids, $row['category_id']);
310}
311
312if (count($comments) > 0)
313{
314  // retrieving element informations
315  $elements = array();
316  $query = '
317SELECT id, name, file, path, tn_ext
318  FROM '.IMAGES_TABLE.'
319  WHERE id IN ('.implode(',', $element_ids).')
320;';
321  $result = pwg_query($query);
322  while ($row = mysql_fetch_assoc($result))
323  {
324    $elements[$row['id']] = $row;
325  }
326
327  // retrieving category informations
328  $query = '
329SELECT id, name, permalink, uppercats
330  FROM '.CATEGORIES_TABLE.'
331  WHERE id IN ('.implode(',', $category_ids).')
332;';
333  $categories = hash_from_query($query, 'id');
334
335  foreach ($comments as $comment)
336  {
337    if (!empty($elements[$comment['image_id']]['name']))
338    {
339      $name=$elements[$comment['image_id']]['name'];
340    }
341    else
342    {
343      $name=get_name_from_file($elements[$comment['image_id']]['file']);
344    }
345
346    // source of the thumbnail picture
347    $thumbnail_src = get_thumbnail_url( $elements[$comment['image_id']] );
348
349    // link to the full size picture
350    $url = make_picture_url(
351            array(
352              'category' => $categories[ $comment['category_id'] ],
353              'image_id' => $comment['image_id'],
354              'image_file' => $elements[$comment['image_id']]['file'],
355            )
356          );
357
358    $author = $comment['author'];
359    if (empty($comment['author']))
360    {
361      $author = l10n('guest');
362    }
363
364    $tpl_comment =
365      array(
366        'U_PICTURE' => $url,
367        'TN_SRC' => $thumbnail_src,
368        'ALT' => $name,
369        'AUTHOR' => trigger_event('render_comment_author', $author),
370        'DATE'=>format_date($comment['date'], true),
371        'CONTENT'=>trigger_event('render_comment_content',$comment['content']),
372        );
373
374    if ( is_admin() )
375    {
376      $url = get_root_url().'comments.php'.get_query_string_diff(array('delete','validate'));
377      $tpl_comment['U_DELETE'] = add_url_params($url,
378                          array('delete'=>$comment['comment_id'])
379                         );
380
381      if ($comment['validated'] != 'true')
382      {
383        $tpl_comment['U_VALIDATE'] = add_url_params($url,
384                            array('validate'=>$comment['comment_id'])
385                           );
386      }
387    }
388    $template->append('comments', $tpl_comment);
389  }
390}
391// +-----------------------------------------------------------------------+
392// |                           html code display                           |
393// +-----------------------------------------------------------------------+
394include(PHPWG_ROOT_PATH.'include/page_header.php');
395$template->pparse('comments');
396include(PHPWG_ROOT_PATH.'include/page_tail.php');
397?>
Note: See TracBrowser for help on using the repository browser.