Context Navigation

source: branches/1.7/comments.php @ 16469

Last change on this file since 16469 was 2762, checked in by plg, 16 years ago

merge -c2755 from branch 2.0 to branch 1.7

fix vulnerability http://www.milw0rm.com/exploits/6755

Property svn:eol-style set to LF
Property svn:keywords set to Author Date Id Revision

File size: 13.1 KB

Line
1	<?php
2	// +-----------------------------------------------------------------------+
3	// \| PhpWebGallery - a PHP based picture gallery \|
4	// \| Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net \|
5	// \| Copyright (C) 2003-2007 PhpWebGallery Team - http://phpwebgallery.net \|
6	// +-----------------------------------------------------------------------+
7	// \| branch : BSF (Best So Far)
8	// \| file : $Id: comments.php 2762 2008-10-16 19:34:46Z plg $
9	// \| last update : $Date: 2008-10-16 19:34:46 +0000 (Thu, 16 Oct 2008) $
10	// \| last modifier : $Author: plg $
11	// \| revision : $Revision: 2762 $
12	// +-----------------------------------------------------------------------+
13	// \| This program is free software; you can redistribute it and/or modify \|
14	// \| it under the terms of the GNU General Public License as published by \|
15	// \| the Free Software Foundation \|
16	// \| \|
17	// \| This program is distributed in the hope that it will be useful, but \|
18	// \| WITHOUT ANY WARRANTY; without even the implied warranty of \|
19	// \| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU \|
20	// \| General Public License for more details. \|
21	// \| \|
22	// \| You should have received a copy of the GNU General Public License \|
23	// \| along with this program; if not, write to the Free Software \|
24	// \| Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, \|
25	// \| USA. \|
26	// +-----------------------------------------------------------------------+
27
28	// +-----------------------------------------------------------------------+
29	// \| initialization \|
30	// +-----------------------------------------------------------------------+
31	define('PHPWG_ROOT_PATH','./');
32	include_once(PHPWG_ROOT_PATH.'include/common.inc.php');
33
34	// +-----------------------------------------------------------------------+
35	// \| Check Access and exit when user status is not ok \|
36	// +-----------------------------------------------------------------------+
37	check_status(ACCESS_GUEST);
38
39	$sort_order = array(
40	'descending' => 'DESC',
41	'ascending' => 'ASC'
42	);
43
44	// sort_by : database fields proposed for sorting comments list
45	$sort_by = array(
46	'date' => 'comment date',
47	'image_id' => 'picture'
48	);
49
50	// items_number : list of number of items to display per page
51	$items_number = array(5,10,20,50,'all');
52
53	// since when display comments ?
54	//
55	$since_options = array(
56	1 => array('label' => l10n('today'),
57	'clause' => 'date > SUBDATE(CURDATE(), INTERVAL 1 DAY)'),
58	2 => array('label' => sprintf(l10n('last %d days'), 7),
59	'clause' => 'date > SUBDATE(CURDATE(), INTERVAL 7 DAY)'),
60	3 => array('label' => sprintf(l10n('last %d days'), 30),
61	'clause' => 'date > SUBDATE(CURDATE(), INTERVAL 30 DAY)'),
62	4 => array('label' => l10n('the beginning'),
63	'clause' => '1=1') // stupid but generic
64	);
65
66	$page['since'] = isset($_GET['since']) ? $_GET['since'] : 4;
67
68	// on which field sorting
69	//
70	$page['sort_by'] = 'date';
71	// if the form was submitted, it overloads default behaviour
72	if (isset($_GET['sort_by']) and isset($sort_by[$_GET['sort_by']]) )
73	{
74	$page['sort_by'] = $_GET['sort_by'];
75	}
76
77	// order to sort
78	//
79	$page['sort_order'] = $sort_order['descending'];
80	// if the form was submitted, it overloads default behaviour
81	if (isset($_GET['sort_order']) and isset($sort_order[$_GET['sort_order']]))
82	{
83	$page['sort_order'] = $sort_order[$_GET['sort_order']];
84	}
85
86	// number of items to display
87	//
88	$page['items_number'] = 10;
89	if (isset($_GET['items_number']))
90	{
91	$page['items_number'] = $_GET['items_number'];
92	}
93
94	$page['where_clauses'] = array();
95
96	// which category to filter on ?
97	if (isset($_GET['cat']) and 0 != $_GET['cat'])
98	{
99	$page['where_clauses'][] =
100	'category_id IN ('.implode(',', get_subcat_ids(array($_GET['cat']))).')';
101	}
102
103	// search a particular author
104	if (isset($_GET['author']) and !empty($_GET['author']))
105	{
106	$page['where_clauses'][] = 'com.author = \''.$_GET['author'].'\'';
107	}
108
109	// search a substring among comments content
110	if (isset($_GET['keyword']) and !empty($_GET['keyword']))
111	{
112	$page['where_clauses'][] =
113	'('.
114	implode(' AND ',
115	array_map(
116	create_function(
117	'$s',
118	'return "content LIKE \'%$s%\'";'
119	),
120	preg_split('/[\s,;]+/', $_GET['keyword'] )
121	)
122	).
123	')';
124	}
125
126	$page['where_clauses'][] = $since_options[$page['since']]['clause'];
127
128	// which status to filter on ?
129	if ( !is_admin() )
130	{
131	$page['where_clauses'][] = 'validated="true"';
132	}
133
134	$page['where_clauses'][] = get_sql_condition_FandF
135	(
136	array
137	(
138	'forbidden_categories' => 'category_id',
139	'visible_categories' => 'category_id',
140	'visible_images' => 'ic.image_id'
141	),
142	'', true
143	);
144
145	// +-----------------------------------------------------------------------+
146	// \| comments management \|
147	// +-----------------------------------------------------------------------+
148	if (isset($_GET['delete']) and is_numeric($_GET['delete'])
149	and !is_adviser() )
150	{// comments deletion
151	check_status(ACCESS_ADMINISTRATOR);
152	$query = '
153	DELETE FROM '.COMMENTS_TABLE.'
154	WHERE id='.$_GET['delete'].'
155	;';
156	pwg_query($query);
157	}
158
159	if (isset($_GET['validate']) and is_numeric($_GET['validate'])
160	and !is_adviser() )
161	{ // comments validation
162	check_status(ACCESS_ADMINISTRATOR);
163	$query = '
164	UPDATE '.COMMENTS_TABLE.'
165	SET validated = \'true\'
166	, validation_date = NOW()
167	WHERE id='.$_GET['validate'].'
168	;';
169	pwg_query($query);
170	}
171
172	// +-----------------------------------------------------------------------+
173	// \| page header and options \|
174	// +-----------------------------------------------------------------------+
175
176	$title= l10n('title_comments');
177	$page['body_id'] = 'theCommentsPage';
178	include(PHPWG_ROOT_PATH.'include/page_header.php');
179
180	$template->set_filenames(array('comments'=>'comments.tpl'));
181	$template->assign_vars(
182	array(
183	'L_COMMENT_TITLE' => $title,
184
185	'F_ACTION'=>PHPWG_ROOT_PATH.'comments.php',
186	'F_KEYWORD'=>@htmlentities(stripslashes($_GET['keyword'])),
187	'F_AUTHOR'=>@htmlentities(stripslashes($_GET['author'])),
188
189	'U_HOME' => make_index_url(),
190	)
191	);
192
193	// +-----------------------------------------------------------------------+
194	// \| form construction \|
195	// +-----------------------------------------------------------------------+
196
197	// Search in a particular category
198	$blockname = 'category';
199
200	$template->assign_block_vars(
201	$blockname,
202	array('SELECTED' => '',
203	'VALUE'=> 0,
204	'OPTION' => '------------'
205	));
206
207	$query = '
208	SELECT id, name, uppercats, global_rank
209	FROM '.CATEGORIES_TABLE.'
210	'.get_sql_condition_FandF
211	(
212	array
213	(
214	'forbidden_categories' => 'id',
215	'visible_categories' => 'id'
216	),
217	'WHERE'
218	).'
219	;';
220	display_select_cat_wrapper($query, array(@$_GET['cat']), $blockname, true);
221
222	// Filter on recent comments...
223	$blockname = 'since_option';
224
225	foreach ($since_options as $id => $option)
226	{
227	$selected = ($id == $page['since']) ? 'selected="selected"' : '';
228
229	$template->assign_block_vars(
230	$blockname,
231	array('SELECTED' => $selected,
232	'VALUE'=> $id,
233	'CONTENT' => $option['label']
234	));
235	}
236
237	// Sort by
238	$blockname = 'sort_by_option';
239
240	foreach ($sort_by as $key => $value)
241	{
242	$selected = ($key == $page['sort_by']) ? 'selected="selected"' : '';
243
244	$template->assign_block_vars(
245	$blockname,
246	array('SELECTED' => $selected,
247	'VALUE'=> $key,
248	'CONTENT' => l10n($value)
249	));
250	}
251
252	// Sorting order
253	$blockname = 'sort_order_option';
254
255	foreach (array_keys($sort_order) as $option)
256	{
257	$selected = ($option == $page['sort_order']) ? 'selected="selected"' : '';
258
259	$template->assign_block_vars(
260	$blockname,
261	array('SELECTED' => $selected,
262	'VALUE'=> $option,
263	'CONTENT' => l10n($option)
264	));
265	}
266
267	// Number of items
268	$blockname = 'items_number_option';
269
270	foreach ($items_number as $option)
271	{
272	$selected = ($option == $page['items_number']) ? 'selected="selected"' : '';
273
274	$template->assign_block_vars(
275	$blockname,
276	array('SELECTED' => $selected,
277	'VALUE'=> $option,
278	'CONTENT' => is_numeric($option) ? $option : l10n($option)
279	));
280	}
281
282	// +-----------------------------------------------------------------------+
283	// \| navigation bar \|
284	// +-----------------------------------------------------------------------+
285
286	if (isset($_GET['start']) and is_numeric($_GET['start']))
287	{
288	$start = $_GET['start'];
289	}
290	else
291	{
292	$start = 0;
293	}
294
295	$query = '
296	SELECT COUNT(DISTINCT(id))
297	FROM '.IMAGE_CATEGORY_TABLE.' AS ic
298	INNER JOIN '.COMMENTS_TABLE.' AS com
299	ON ic.image_id = com.image_id
300	WHERE '.implode('
301	AND ', $page['where_clauses']).'
302	;';
303	list($counter) = mysql_fetch_row(pwg_query($query));
304
305	$url = PHPWG_ROOT_PATH
306	.'comments.php'
307	.get_query_string_diff(array('start','delete','validate'));
308
309	$navbar = create_navigation_bar($url,
310	$counter,
311	$start,
312	$page['items_number'],
313	'');
314
315	$template->assign_vars(array('NAVBAR' => $navbar));
316
317	// +-----------------------------------------------------------------------+
318	// \| last comments display \|
319	// +-----------------------------------------------------------------------+
320
321	$comments = array();
322	$element_ids = array();
323	$category_ids = array();
324
325	$query = '
326	SELECT com.id AS comment_id
327	, com.image_id
328	, ic.category_id
329	, com.author
330	, com.date
331	, com.content
332	, com.id AS comment_id
333	, com.validated
334	FROM '.IMAGE_CATEGORY_TABLE.' AS ic
335	INNER JOIN '.COMMENTS_TABLE.' AS com
336	ON ic.image_id = com.image_id
337	WHERE '.implode('
338	AND ', $page['where_clauses']).'
339	GROUP BY comment_id
340	ORDER BY '.$page['sort_by'].' '.$page['sort_order'];
341	if ('all' != $page['items_number'])
342	{
343	$query.= '
344	LIMIT '.$start.','.$page['items_number'];
345	}
346	$query.= '
347	;';
348	$result = pwg_query($query);
349	while ($row = mysql_fetch_assoc($result))
350	{
351	array_push($comments, $row);
352	array_push($element_ids, $row['image_id']);
353	array_push($category_ids, $row['category_id']);
354	}
355
356	if (count($comments) > 0)
357	{
358	// retrieving element informations
359	$elements = array();
360	$query = '
361	SELECT id, name, file, path, tn_ext
362	FROM '.IMAGES_TABLE.'
363	WHERE id IN ('.implode(',', $element_ids).')
364	;';
365	$result = pwg_query($query);
366	while ($row = mysql_fetch_assoc($result))
367	{
368	$elements[$row['id']] = $row;
369	}
370
371	// retrieving category informations
372	$query = '
373	SELECT id, name, permalink, uppercats
374	FROM '.CATEGORIES_TABLE.'
375	WHERE id IN ('.implode(',', $category_ids).')
376	;';
377	$categories = hash_from_query($query, 'id');
378
379	foreach ($comments as $comment)
380	{
381	if (!empty($elements[$comment['image_id']]['name']))
382	{
383	$name=$elements[$comment['image_id']]['name'];
384	}
385	else
386	{
387	$name=get_name_from_file($elements[$comment['image_id']]['file']);
388	}
389
390	// source of the thumbnail picture
391	$thumbnail_src = get_thumbnail_url( $elements[$comment['image_id']] );
392
393	// link to the full size picture
394	$url = make_picture_url(
395	array(
396	'category' => $categories[ $comment['category_id'] ],
397	'image_id' => $comment['image_id'],
398	'image_file' => $elements[$comment['image_id']]['file'],
399	)
400	);
401
402	$author = $comment['author'];
403	if (empty($comment['author']))
404	{
405	$author = l10n('guest');
406	}
407
408	$template->assign_block_vars(
409	'comment',
410	array(
411	'U_PICTURE' => $url,
412	'TN_SRC' => $thumbnail_src,
413	'ALT' => $name,
414	'AUTHOR' => trigger_event('render_comment_author', $author),
415	'DATE'=>format_date($comment['date'],'mysql_datetime',true),
416	'CONTENT'=>trigger_event('render_comment_content',$comment['content']),
417	));
418
419	if ( is_admin() )
420	{
421	$url = get_root_url().'comments.php'.get_query_string_diff(array('delete','validate'));
422	$template->assign_block_vars(
423	'comment.action_delete',
424	array(
425	'U_DELETE' => add_url_params($url,
426	array('delete'=>$comment['comment_id'])
427	),
428	));
429	if ($comment['validated'] != 'true')
430	{
431	$template->assign_block_vars(
432	'comment.action_validate',
433	array(
434	'U_VALIDATE' => add_url_params($url,
435	array('validate'=>$comment['comment_id'])
436	),
437	));
438	}
439	}
440	}
441	}
442	// +-----------------------------------------------------------------------+
443	// \| html code display \|
444	// +-----------------------------------------------------------------------+
445	$template->assign_block_vars('title',array());
446	$template->parse('comments');
447	include(PHPWG_ROOT_PATH.'include/page_tail.php');
448	?>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: