Changeset 1716 for trunk/comments.php


Ignore:
Timestamp:
Jan 12, 2007, 12:15:26 AM (17 years ago)
Author:
rvelices
Message:

plugins improvements: allow plugins to fail the installation/activation
comments.php improvements:

  • no more double sql escaping on author & keyword (once in common.inc.php and

once in comments.php)

  • now can search comment content on all special char ( ', ", <, >, & )
  • author & keyword are correctly redisplayed in browser when they are MySql

escaped

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/comments.php

    r1696 r1716  
    33// | PhpWebGallery - a PHP based picture gallery                           |
    44// | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net |
    5 // | Copyright (C) 2003-2005 PhpWebGallery Team - http://phpwebgallery.net |
     5// | Copyright (C) 2003-2007 PhpWebGallery Team - http://phpwebgallery.net |
    66// +-----------------------------------------------------------------------+
    77// | branch        : BSF (Best So Far)
     
    6464  );
    6565
    66 $page['since'] = isset($_GET['since']) ? $_GET['since'] : 3;
     66$page['since'] = isset($_GET['since']) ? $_GET['since'] : 4;
    6767
    6868// on which field sorting
     
    9292}
    9393
     94$page['where_clauses'] = array();
     95
    9496// which category to filter on ?
    95 $page['cat_clause'] = '1=1';
    9697if (isset($_GET['cat']) and 0 != $_GET['cat'])
    9798{
    98   $page['cat_clause'] =
     99  $page['where_clauses'][] =
    99100    'category_id IN ('.implode(',', get_subcat_ids(array($_GET['cat']))).')';
    100101}
    101102
    102103// search a particular author
    103 $page['author_clause'] = '1=1';
    104104if (isset($_GET['author']) and !empty($_GET['author']))
    105105{
    106   if (function_exists('mysql_real_escape_string'))
    107   {
    108     $author = mysql_real_escape_string($_GET['author']);
    109   }
    110   else
    111   {
    112     $author = mysql_escape_string($_GET['author']);
    113   }
    114 
    115   $page['author_clause'] = 'author = \''.$author.'\'';
     106  $page['where_clauses'][] = 'com.author = \''.$_GET['author'].'\'';
    116107}
    117108
    118109// search a substring among comments content
    119 $page['keyword_clause'] = '1=1';
    120110if (isset($_GET['keyword']) and !empty($_GET['keyword']))
    121111{
    122   if (function_exists('mysql_real_escape_string'))
    123   {
    124     $keyword = mysql_real_escape_string($_GET['keyword']);
    125   }
    126   else
    127   {
    128     $keyword = mysql_escape_string($_GET['keyword']);
    129   }
    130   $page['keyword_clause'] =
     112  // fors some odd reason comment content is htmlspecialchars in the database
     113  $keyword = addslashes(
     114      htmlspecialchars( stripslashes($_GET['keyword']), ENT_QUOTES)
     115    );
     116  $page['where_clauses'][] =
    131117    '('.
    132118    implode(' AND ',
     
    142128}
    143129
     130$page['where_clauses'][] = $since_options[$page['since']]['clause'];
     131
    144132// which status to filter on ?
    145 if ( is_admin() )
    146 {
    147   $page['status_clause'] = '1=1';
    148 }
    149 else
    150 {
    151   $page['status_clause'] = 'validated="true"';
    152 }
    153 
     133if ( !is_admin() )
     134{
     135  $page['where_clauses'][] = 'validated="true"';
     136}
     137
     138$page['where_clauses'][] = get_sql_condition_FandF
     139  (
     140    array
     141      (
     142        'forbidden_categories' => 'category_id',
     143        'visible_categories' => 'category_id',
     144        'visible_images' => 'ic.image_id'
     145      ),
     146    '', true
     147  );
    154148
    155149// +-----------------------------------------------------------------------+
     
    194188
    195189    'F_ACTION'=>PHPWG_ROOT_PATH.'comments.php',
    196     'F_KEYWORD'=>@htmlentities($_GET['keyword']),
    197     'F_AUTHOR'=>@htmlentities($_GET['author']),
     190    'F_KEYWORD'=>@htmlentities(stripslashes($_GET['keyword'])),
     191    'F_AUTHOR'=>@htmlentities(stripslashes($_GET['author'])),
    198192
    199193    'U_HOME' => make_index_url(),
     
    308302    INNER JOIN '.COMMENTS_TABLE.' AS com
    309303    ON ic.image_id = com.image_id
    310   WHERE '.$since_options[$page['since']]['clause'].'
    311     AND '.$page['cat_clause'].'
    312     AND '.$page['author_clause'].'
    313     AND '.$page['keyword_clause'].'
    314     AND '.$page['status_clause'].'
    315 '.get_sql_condition_FandF
    316   (
    317     array
    318       (
    319         'forbidden_categories' => 'category_id',
    320         'visible_categories' => 'category_id',
    321         'visible_images' => 'ic.image_id'
    322       ),
    323     'AND'
    324   ).'
     304  WHERE '.implode('
     305    AND ', $page['where_clauses']).'
    325306;';
    326307list($counter) = mysql_fetch_row(pwg_query($query));
     
    358339    INNER JOIN '.COMMENTS_TABLE.' AS com
    359340    ON ic.image_id = com.image_id
    360   WHERE '.$since_options[$page['since']]['clause'].'
    361     AND '.$page['cat_clause'].'
    362     AND '.$page['author_clause'].'
    363     AND '.$page['keyword_clause'].'
    364     AND '.$page['status_clause'].'
    365 '.get_sql_condition_FandF
    366   (
    367     array
    368       (
    369         'forbidden_categories' => 'category_id',
    370         'visible_categories' => 'category_id',
    371         'visible_images' => 'ic.image_id'
    372       ),
    373     'AND'
    374   ).'
     341  WHERE '.implode('
     342    AND ', $page['where_clauses']).'
    375343  GROUP BY comment_id
    376344  ORDER BY '.$page['sort_by'].' '.$page['sort_order'];
Note: See TracChangeset for help on using the changeset viewer.