Context Navigation

source: trunk/comments.php @ 1696

Last change on this file since 1696 was 1696, checked in by rub, 17 years ago
Fixed: HTML vulnerability (Cross Site Scripting)
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 13.9 KB

Line
1	<?php
2	// +-----------------------------------------------------------------------+
3	// \| PhpWebGallery - a PHP based picture gallery \|
4	// \| Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net \|
5	// \| Copyright (C) 2003-2005 PhpWebGallery Team - http://phpwebgallery.net \|
6	// +-----------------------------------------------------------------------+
7	// \| branch : BSF (Best So Far)
8	// \| file : $Id: comments.php 1696 2007-01-03 23:28:09Z rub $
9	// \| last update : $Date: 2007-01-03 23:28:09 +0000 (Wed, 03 Jan 2007) $
10	// \| last modifier : $Author: rub $
11	// \| revision : $Revision: 1696 $
12	// +-----------------------------------------------------------------------+
13	// \| This program is free software; you can redistribute it and/or modify \|
14	// \| it under the terms of the GNU General Public License as published by \|
15	// \| the Free Software Foundation \|
16	// \| \|
17	// \| This program is distributed in the hope that it will be useful, but \|
18	// \| WITHOUT ANY WARRANTY; without even the implied warranty of \|
19	// \| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU \|
20	// \| General Public License for more details. \|
21	// \| \|
22	// \| You should have received a copy of the GNU General Public License \|
23	// \| along with this program; if not, write to the Free Software \|
24	// \| Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, \|
25	// \| USA. \|
26	// +-----------------------------------------------------------------------+
27
28	// +-----------------------------------------------------------------------+
29	// \| initialization \|
30	// +-----------------------------------------------------------------------+
31	define('PHPWG_ROOT_PATH','./');
32	include_once(PHPWG_ROOT_PATH.'include/common.inc.php');
33
34	// +-----------------------------------------------------------------------+
35	// \| Check Access and exit when user status is not ok \|
36	// +-----------------------------------------------------------------------+
37	check_status(ACCESS_GUEST);
38
39	$sort_order = array(
40	'descending' => 'DESC',
41	'ascending' => 'ASC'
42	);
43
44	// sort_by : database fields proposed for sorting comments list
45	$sort_by = array(
46	'date' => 'comment date',
47	'image_id' => 'picture'
48	);
49
50	// items_number : list of number of items to display per page
51	$items_number = array(5,10,20,50,'all');
52
53	// since when display comments ?
54	//
55	$since_options = array(
56	1 => array('label' => l10n('today'),
57	'clause' => 'date > SUBDATE(CURDATE(), INTERVAL 1 DAY)'),
58	2 => array('label' => sprintf(l10n('last %d days'), 7),
59	'clause' => 'date > SUBDATE(CURDATE(), INTERVAL 7 DAY)'),
60	3 => array('label' => sprintf(l10n('last %d days'), 30),
61	'clause' => 'date > SUBDATE(CURDATE(), INTERVAL 30 DAY)'),
62	4 => array('label' => l10n('the beginning'),
63	'clause' => '1=1') // stupid but generic
64	);
65
66	$page['since'] = isset($_GET['since']) ? $_GET['since'] : 3;
67
68	// on which field sorting
69	//
70	$page['sort_by'] = 'date';
71	// if the form was submitted, it overloads default behaviour
72	if (isset($_GET['sort_by']))
73	{
74	$page['sort_by'] = $_GET['sort_by'];
75	}
76
77	// order to sort
78	//
79	$page['sort_order'] = $sort_order['descending'];
80	// if the form was submitted, it overloads default behaviour
81	if (isset($_GET['sort_order']))
82	{
83	$page['sort_order'] = $sort_order[$_GET['sort_order']];
84	}
85
86	// number of items to display
87	//
88	$page['items_number'] = 5;
89	if (isset($_GET['items_number']))
90	{
91	$page['items_number'] = $_GET['items_number'];
92	}
93
94	// which category to filter on ?
95	$page['cat_clause'] = '1=1';
96	if (isset($_GET['cat']) and 0 != $_GET['cat'])
97	{
98	$page['cat_clause'] =
99	'category_id IN ('.implode(',', get_subcat_ids(array($_GET['cat']))).')';
100	}
101
102	// search a particular author
103	$page['author_clause'] = '1=1';
104	if (isset($_GET['author']) and !empty($_GET['author']))
105	{
106	if (function_exists('mysql_real_escape_string'))
107	{
108	$author = mysql_real_escape_string($_GET['author']);
109	}
110	else
111	{
112	$author = mysql_escape_string($_GET['author']);
113	}
114
115	$page['author_clause'] = 'author = \''.$author.'\'';
116	}
117
118	// search a substring among comments content
119	$page['keyword_clause'] = '1=1';
120	if (isset($_GET['keyword']) and !empty($_GET['keyword']))
121	{
122	if (function_exists('mysql_real_escape_string'))
123	{
124	$keyword = mysql_real_escape_string($_GET['keyword']);
125	}
126	else
127	{
128	$keyword = mysql_escape_string($_GET['keyword']);
129	}
130	$page['keyword_clause'] =
131	'('.
132	implode(' AND ',
133	array_map(
134	create_function(
135	'$s',
136	'return "content LIKE \'%$s%\'";'
137	),
138	preg_split('/[\s,;]+/', $keyword)
139	)
140	).
141	')';
142	}
143
144	// which status to filter on ?
145	if ( is_admin() )
146	{
147	$page['status_clause'] = '1=1';
148	}
149	else
150	{
151	$page['status_clause'] = 'validated="true"';
152	}
153
154
155	// +-----------------------------------------------------------------------+
156	// \| comments management \|
157	// +-----------------------------------------------------------------------+
158	if (isset($_GET['delete']) and is_numeric($_GET['delete'])
159	and !is_adviser() )
160	{// comments deletion
161	check_status(ACCESS_ADMINISTRATOR);
162	$query = '
163	DELETE FROM '.COMMENTS_TABLE.'
164	WHERE id='.$_GET['delete'].'
165	;';
166	pwg_query($query);
167	}
168
169	if (isset($_GET['validate']) and is_numeric($_GET['validate'])
170	and !is_adviser() )
171	{ // comments validation
172	check_status(ACCESS_ADMINISTRATOR);
173	$query = '
174	UPDATE '.COMMENTS_TABLE.'
175	SET validated = \'true\'
176	, validation_date = NOW()
177	WHERE id='.$_GET['validate'].'
178	;';
179	pwg_query($query);
180	}
181
182	// +-----------------------------------------------------------------------+
183	// \| page header and options \|
184	// +-----------------------------------------------------------------------+
185
186	$title= l10n('title_comments');
187	$page['body_id'] = 'theCommentsPage';
188	include(PHPWG_ROOT_PATH.'include/page_header.php');
189
190	$template->set_filenames(array('comments'=>'comments.tpl'));
191	$template->assign_vars(
192	array(
193	'L_COMMENT_TITLE' => $title,
194
195	'F_ACTION'=>PHPWG_ROOT_PATH.'comments.php',
196	'F_KEYWORD'=>@htmlentities($_GET['keyword']),
197	'F_AUTHOR'=>@htmlentities($_GET['author']),
198
199	'U_HOME' => make_index_url(),
200	)
201	);
202
203	// +-----------------------------------------------------------------------+
204	// \| form construction \|
205	// +-----------------------------------------------------------------------+
206
207	// Search in a particular category
208	$blockname = 'category';
209
210	$template->assign_block_vars(
211	$blockname,
212	array('SELECTED' => '',
213	'VALUE'=> 0,
214	'OPTION' => '------------'
215	));
216
217	$query = '
218	SELECT id,name,uppercats,global_rank
219	FROM '.CATEGORIES_TABLE.'
220	'.get_sql_condition_FandF
221	(
222	array
223	(
224	'forbidden_categories' => 'id',
225	'visible_categories' => 'id'
226	),
227	'WHERE'
228	).'
229	;';
230	display_select_cat_wrapper($query, array(@$_GET['cat']), $blockname, true);
231
232	// Filter on recent comments...
233	$blockname = 'since_option';
234
235	foreach ($since_options as $id => $option)
236	{
237	$selected = ($id == $page['since']) ? 'selected="selected"' : '';
238
239	$template->assign_block_vars(
240	$blockname,
241	array('SELECTED' => $selected,
242	'VALUE'=> $id,
243	'CONTENT' => $option['label']
244	));
245	}
246
247	// Sort by
248	$blockname = 'sort_by_option';
249
250	foreach ($sort_by as $key => $value)
251	{
252	$selected = ($key == $page['sort_by']) ? 'selected="selected"' : '';
253
254	$template->assign_block_vars(
255	$blockname,
256	array('SELECTED' => $selected,
257	'VALUE'=> $key,
258	'CONTENT' => l10n($value)
259	));
260	}
261
262	// Sorting order
263	$blockname = 'sort_order_option';
264
265	foreach (array_keys($sort_order) as $option)
266	{
267	$selected = ($option == $page['sort_order']) ? 'selected="selected"' : '';
268
269	$template->assign_block_vars(
270	$blockname,
271	array('SELECTED' => $selected,
272	'VALUE'=> $option,
273	'CONTENT' => l10n($option)
274	));
275	}
276
277	// Number of items
278	$blockname = 'items_number_option';
279
280	foreach ($items_number as $option)
281	{
282	$selected = ($option == $page['items_number']) ? 'selected="selected"' : '';
283
284	$template->assign_block_vars(
285	$blockname,
286	array('SELECTED' => $selected,
287	'VALUE'=> $option,
288	'CONTENT' => is_numeric($option) ? $option : l10n($option)
289	));
290	}
291
292	// +-----------------------------------------------------------------------+
293	// \| navigation bar \|
294	// +-----------------------------------------------------------------------+
295
296	if (isset($_GET['start']) and is_numeric($_GET['start']))
297	{
298	$start = $_GET['start'];
299	}
300	else
301	{
302	$start = 0;
303	}
304
305	$query = '
306	SELECT COUNT(DISTINCT(id))
307	FROM '.IMAGE_CATEGORY_TABLE.' AS ic
308	INNER JOIN '.COMMENTS_TABLE.' AS com
309	ON ic.image_id = com.image_id
310	WHERE '.$since_options[$page['since']]['clause'].'
311	AND '.$page['cat_clause'].'
312	AND '.$page['author_clause'].'
313	AND '.$page['keyword_clause'].'
314	AND '.$page['status_clause'].'
315	'.get_sql_condition_FandF
316	(
317	array
318	(
319	'forbidden_categories' => 'category_id',
320	'visible_categories' => 'category_id',
321	'visible_images' => 'ic.image_id'
322	),
323	'AND'
324	).'
325	;';
326	list($counter) = mysql_fetch_row(pwg_query($query));
327
328	$url = PHPWG_ROOT_PATH
329	.'comments.php'
330	.get_query_string_diff(array('start','delete','validate'));
331
332	$navbar = create_navigation_bar($url,
333	$counter,
334	$start,
335	$page['items_number'],
336	'');
337
338	$template->assign_vars(array('NAVBAR' => $navbar));
339
340	// +-----------------------------------------------------------------------+
341	// \| last comments display \|
342	// +-----------------------------------------------------------------------+
343
344	$comments = array();
345	$element_ids = array();
346	$category_ids = array();
347
348	$query = '
349	SELECT com.id AS comment_id
350	, com.image_id
351	, ic.category_id
352	, com.author
353	, com.date
354	, com.content
355	, com.id AS comment_id
356	, com.validated
357	FROM '.IMAGE_CATEGORY_TABLE.' AS ic
358	INNER JOIN '.COMMENTS_TABLE.' AS com
359	ON ic.image_id = com.image_id
360	WHERE '.$since_options[$page['since']]['clause'].'
361	AND '.$page['cat_clause'].'
362	AND '.$page['author_clause'].'
363	AND '.$page['keyword_clause'].'
364	AND '.$page['status_clause'].'
365	'.get_sql_condition_FandF
366	(
367	array
368	(
369	'forbidden_categories' => 'category_id',
370	'visible_categories' => 'category_id',
371	'visible_images' => 'ic.image_id'
372	),
373	'AND'
374	).'
375	GROUP BY comment_id
376	ORDER BY '.$page['sort_by'].' '.$page['sort_order'];
377	if ('all' != $page['items_number'])
378	{
379	$query.= '
380	LIMIT '.$start.','.$page['items_number'];
381	}
382	$query.= '
383	;';
384	$result = pwg_query($query);
385	while ($row = mysql_fetch_assoc($result))
386	{
387	array_push($comments, $row);
388	array_push($element_ids, $row['image_id']);
389	array_push($category_ids, $row['category_id']);
390	}
391
392	if (count($comments) > 0)
393	{
394	// retrieving element informations
395	$elements = array();
396	$query = '
397	SELECT id, name, file, path, tn_ext
398	FROM '.IMAGES_TABLE.'
399	WHERE id IN ('.implode(',', $element_ids).')
400	;';
401	$result = pwg_query($query);
402	while ($row = mysql_fetch_assoc($result))
403	{
404	$elements[$row['id']] = $row;
405	}
406
407	// retrieving category informations
408	$categories = array();
409	$query = '
410	SELECT id, name, uppercats
411	FROM '.CATEGORIES_TABLE.'
412	WHERE id IN ('.implode(',', $category_ids).')
413	;';
414	$result = pwg_query($query);
415	while ($row = mysql_fetch_assoc($result))
416	{
417	$categories[$row['id']] = $row;
418	}
419
420	foreach ($comments as $comment)
421	{
422	if (!empty($elements[$comment['image_id']]['name']))
423	{
424	$name=$elements[$comment['image_id']]['name'];
425	}
426	else
427	{
428	$name=get_name_from_file($elements[$comment['image_id']]['file']);
429	}
430
431	// source of the thumbnail picture
432	$thumbnail_src = get_thumbnail_url( $elements[$comment['image_id']] );
433
434	// link to the full size picture
435	$url = make_picture_url(
436	array(
437	'category' => $comment['category_id'],
438	'cat_name' => $categories[ $comment['category_id']] ['name'],
439	'image_id' => $comment['image_id'],
440	'image_file' => $elements[$comment['image_id']]['file'],
441	)
442	);
443
444	$author = $comment['author'];
445	if (empty($comment['author']))
446	{
447	$author = l10n('guest');
448	}
449
450	$template->assign_block_vars(
451	'comment',
452	array(
453	'U_PICTURE' => $url,
454	'TN_SRC' => $thumbnail_src,
455	'ALT' => $name,
456	'AUTHOR' => $author,
457	'DATE'=>format_date($comment['date'],'mysql_datetime',true),
458	'CONTENT'=>trigger_event('render_comment_content',$comment['content']),
459	));
460
461	if ( is_admin() )
462	{
463	$url = get_root_url().'comments.php'.get_query_string_diff(array('delete','validate'));
464	$template->assign_block_vars(
465	'comment.action_delete',
466	array(
467	'U_DELETE' => add_url_params($url,
468	array('delete'=>$comment['comment_id'])
469	),
470	));
471	if ($comment['validated'] != 'true')
472	{
473	$template->assign_block_vars(
474	'comment.action_validate',
475	array(
476	'U_VALIDATE' => add_url_params($url,
477	array('validate'=>$comment['comment_id'])
478	),
479	));
480	}
481	}
482	}
483	}
484	// +-----------------------------------------------------------------------+
485	// \| html code display \|
486	// +-----------------------------------------------------------------------+
487	$template->assign_block_vars('title',array());
488	$template->parse('comments');
489	include(PHPWG_ROOT_PATH.'include/page_tail.php');
490	?>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: