source: trunk/include/functions_comment.inc.php @ 4398

Last change on this file since 4398 was 4325, checked in by nikrou, 15 years ago

Feature 1244 resolved
Replace all mysql functions in core code by ones independant of database engine

Fix small php code synxtax : hash must be accessed with [ ] and not { }.
  • Property svn:eol-style set to LF
File size: 9.8 KB
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | Piwigo - a PHP based picture gallery                                  |
4// +-----------------------------------------------------------------------+
5// | Copyright(C) 2008-2009 Piwigo Team                  http://piwigo.org |
6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
23
24//returns string action to perform on a new comment: validate, moderate, reject
25function user_comment_check($action, $comment)
26{
27  global $conf,$user;
28
29  if ($action=='reject')
30    return $action;
31
32  $my_action = $conf['comment_spam_reject'] ? 'reject':'moderate';
33
34  if ($action==$my_action)
35    return $action;
36
37  // we do here only BASIC spam check (plugins can do more)
38  if ( !is_a_guest() )
39    return $action;
40
41  $link_count = preg_match_all( '/https?:\/\//',
42    $comment['content'], $matches);
43
44  if ( strpos($comment['author'], 'http://')!==false )
45  {
46    $link_count++;
47  }
48
49  if ( $link_count>$conf['comment_spam_max_links'] )
50    return $my_action;
51
52  return $action;
53}
54
55
56add_event_handler('user_comment_check', 'user_comment_check',
57  EVENT_HANDLER_PRIORITY_NEUTRAL, 2);
58
59/**
60 * Tries to insert a user comment in the database and returns one of :
61 * validate, moderate, reject
62 * @param array comm contains author, content, image_id
63 * @param string key secret key sent back to the browser
64 * @param array infos out array of messages
65 */
66function insert_user_comment( &$comm, $key, &$infos )
67{
68  global $conf, $user;
69
70  $comm = array_merge( $comm,
71    array(
72      'ip' => $_SERVER['REMOTE_ADDR'],
73      'agent' => $_SERVER['HTTP_USER_AGENT']
74    )
75   );
76
77  $infos = array();
78  if (!$conf['comments_validation'] or is_admin())
79  {
80    $comment_action='validate'; //one of validate, moderate, reject
81  }
82  else
83  {
84    $comment_action='moderate'; //one of validate, moderate, reject
85  }
86
87  // display author field if the user status is guest or generic
88  if (!is_classic_user())
89  {
90    if ( empty($comm['author']) )
91    {
92      $comm['author'] = 'guest';
93    }
94    $comm['author_id'] = $conf['guest_id'];
95    // if a guest try to use the name of an already existing user, he must be
96    // rejected
97    if ( $comm['author'] != 'guest' )
98    {
99      $query = '
100SELECT COUNT(*) AS user_exists
101  FROM '.USERS_TABLE.'
102  WHERE '.$conf['user_fields']['username']." = '".addslashes($comm['author'])."'";
103      $row = pwg_db_fetch_assoc( pwg_query( $query ) );
104      if ( $row['user_exists'] == 1 )
105      {
106        array_push($infos, l10n('comment_user_exists') );
107        $comment_action='reject';
108      }
109    }
110  }
111  else
112  {
113    $comm['author'] = addslashes($user['username']);
114    $comm['author_id'] = $user['id'];
115  }
116
117  if ( empty($comm['content']) )
118  { // empty comment content
119    $comment_action='reject';
120  }
121
122  $key = explode( ':', @$key );
123  if ( count($key)!=2
124        or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago
125        or $key[0]<time()-3600 // 60 minutes expiration
126        or hash_hmac(
127              'md5', $key[0].':'.$comm['image_id'], $conf['secret_key']
128            ) != $key[1]
129      )
130  {
131    $comment_action='reject';
132  }
133
134  if ($comment_action!='reject' and $conf['anti-flood_time']>0 )
135  { // anti-flood system
136    $reference_date = time() - $conf['anti-flood_time'];
137    $query = '
138SELECT id FROM '.COMMENTS_TABLE.'
139  WHERE date > FROM_UNIXTIME('.$reference_date.')
140    AND author_id = '.$comm['author_id'];
141    if ( pwg_db_num_rows( pwg_query( $query ) ) > 0 )
142    {
143      array_push( $infos, l10n('comment_anti-flood') );
144      $comment_action='reject';
145    }
146  }
147
148  // perform more spam check
149  $comment_action = trigger_event('user_comment_check',
150      $comment_action, $comm
151    );
152
153  if ( $comment_action!='reject' )
154  {
155    $query = '
156INSERT INTO '.COMMENTS_TABLE.'
157  (author, author_id, content, date, validated, validation_date, image_id)
158  VALUES (
159    "'.$comm['author'].'",
160    '.$comm['author_id'].',
161    "'.$comm['content'].'",
162    NOW(),
163    "'.($comment_action=='validate' ? 'true':'false').'",
164    '.($comment_action=='validate' ? 'NOW()':'NULL').',
165    '.$comm['image_id'].'
166  )
167';
168
169    pwg_query($query);
170
171    $comm['id'] = pwg_db_insert_id();
172
173    if (($comment_action=='validate' and $conf['email_admin_on_comment']) or
174        ($comment_action!='validate' and $conf['email_admin_on_comment_validation']))
175    {
176      include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
177
178      $del_url = get_absolute_root_url().'comments.php?delete='.$comm['id'];
179
180      $keyargs_content = array
181      (
182        get_l10n_args('Author: %s', stripslashes($comm['author']) ),
183        get_l10n_args('Comment: %s', stripslashes($comm['content']) ),
184        get_l10n_args('', ''),
185        get_l10n_args('Delete: %s', $del_url)
186      );
187
188      if ($comment_action!='validate')
189      {
190        $keyargs_content[] =
191          get_l10n_args('', '');
192        $keyargs_content[] =
193          get_l10n_args('Validate: %s',
194            get_absolute_root_url().'comments.php?validate='.$comm['id']);
195      }
196
197      pwg_mail_notification_admins
198      (
199        get_l10n_args('Comment by %s', stripslashes($comm['author']) ),
200        $keyargs_content
201      );
202    }
203  }
204  return $comment_action;
205}
206
207/**
208 * Tries to delete a user comment in the database
209 * only admin can delete all comments
210 * other users can delete their own comments
211 * so to avoid a new sql request we add author in where clause
212 *
213 * @param comment_id
214 */
215
216function delete_user_comment($comment_id) {
217  $user_where_clause = '';
218  if (!is_admin())
219  {
220    $user_where_clause = '   AND author_id = \''.$GLOBALS['user']['id'].'\'';
221  }
222  $query = '
223DELETE FROM '.COMMENTS_TABLE.'
224  WHERE id = '.$comment_id.
225$user_where_clause.'
226;';
227  $result = pwg_query($query);
228  if ($result) {
229    email_admin('delete', array('author' => $GLOBALS['user']['username']));
230  }
231}
232
233/**
234 * Tries to update a user comment in the database
235 * only admin can update all comments
236 * users can edit their own comments if admin allow them
237 * so to avoid a new sql request we add author in where clause
238 *
239 * @param comment_id
240 * @param post_key
241 * @param content
242 */
243
244function update_user_comment($comment, $post_key)
245{
246  global $conf;
247
248  $comment_action = 'validate';
249
250  $key = explode( ':', $post_key );
251  if ( count($key)!=2
252       or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago
253       or $key[0]<time()-3600 // 60 minutes expiration
254       or hash_hmac('md5', $key[0].':'.$comment['image_id'], $conf['secret_key']
255                    ) != $key[1]
256       )
257  {
258    $comment_action='reject';
259  }
260
261/* ? this is a MySql Error - author_id is not defined
262  if ($comment_action!='reject' and $conf['anti-flood_time']>0 )
263  { // anti-flood system
264    $reference_date = time() - $conf['anti-flood_time'];
265    $query = '
266SELECT id FROM '.COMMENTS_TABLE.'
267  WHERE date > FROM_UNIXTIME('.$reference_date.')
268    AND author_id = '.$comm['author_id'];
269    if ( pwg_db_num_rows( pwg_query( $query ) ) > 0 )
270    {
271      //?? array_push( $infos, l10n('comment_anti-flood') );
272      $comment_action='reject';
273    }
274  }
275*/
276  // perform more spam check
277  $comment_action =
278    trigger_event('user_comment_check',
279                  $comment_action,
280                  array_merge($comment,
281                              array('author' => $GLOBALS['user']['username'])
282                              )
283                  );
284
285  if ( $comment_action!='reject' )
286  {
287    $user_where_clause = '';
288    if (!is_admin())
289    {
290      $user_where_clause = '   AND author_id = \''.
291        $GLOBALS['user']['id'].'\'';
292    }
293    $query = '
294UPDATE '.COMMENTS_TABLE.'
295  SET content = \''.$comment['content'].'\',
296      validation_date = now()
297  WHERE id = '.$comment['comment_id'].
298$user_where_clause.'
299;';
300    $result = pwg_query($query);
301    if ($result) {
302      email_admin('edit', array('author' => $GLOBALS['user']['username'],
303                                'content' => stripslashes($comment['content'])) );
304    }
305  }
306}
307
308function email_admin($action, $comment)
309{
310  global $conf;
311
312  if (!in_array($action, array('edit', 'delete'))
313      or (($action=='edit') and !$conf['email_admin_on_comment_edition'])
314      or (($action=='delete') and !$conf['email_admin_on_comment_deletion']))
315  {
316    return;
317  }
318
319  include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
320
321  $keyargs_content = array();
322  $keyargs_content[] = get_l10n_args('Author: %s', $comment['author']);
323  if ($action=='delete')
324  {
325    $keyargs_content[] = get_l10n_args('This author removed the comment with id %d',
326                                       $comment['comment_id']
327                                       );
328  }
329  else
330  {
331    $keyargs_content[] = get_l10n_args('This author modified following comment:', '');
332    $keyargs_content[] = get_l10n_args('Comment: %s', $comment['content']);
333  }
334
335  pwg_mail_notification_admins(get_l10n_args('Comment by %s',
336                                             $comment['author']),
337                               $keyargs_content
338                               );
339}
340?>
Note: See TracBrowser for help on using the repository browser.