function saveComment() { global $siteurl, $comments_moderate, $comments_sendmail, $txpcfg, $comments_disallow_images, $prefs; $ref = serverset('HTTP_REFERRER'); $in = getComment(); $evaluator =& get_comment_evaluator(); extract($in); if (!checkCommentsAllowed($parentid)) { txp_die(gTxt('comments_closed'), '403'); } $ip = serverset('REMOTE_ADDR'); if (!checkBan($ip)) { txp_die(gTxt('you_have_been_banned'), '403'); } $blacklisted = is_blacklisted($ip); if ($blacklisted) { txp_die(gTxt('your_ip_is_blacklisted_by' . ' ' . $blacklisted), '403'); } $web = clean_url($web); $email = clean_url($email); if ($remember == 1 || ps('checkbox_type') == 'forget' && ps('forget') != 1) { setCookies($name, $email, $web); } else { destroyCookies(); } $name = doSlash(strip_tags(deEntBrackets($name))); $web = doSlash(strip_tags(deEntBrackets($web))); $email = doSlash(strip_tags(deEntBrackets($email))); $message = substr(trim($message), 0, 65535); $message2db = doSlash(markup_comment($message)); $isdup = safe_row("message,name", "txp_discuss", "name='{$name}' and message='{$message2db}' and ip='" . doSlash($ip) . "'"); if ($prefs['comments_require_name'] && !trim($name) || $prefs['comments_require_email'] && !trim($email) || !trim($message)) { $evaluator->add_estimate(RELOAD, 1); // The error-messages are added in the preview-code } if ($isdup) { $evaluator->add_estimate(RELOAD, 1); } // FIXME? Tell the user about dupe? if ($evaluator->get_result() != RELOAD && checkNonce($nonce)) { callback_event('comment.save'); $visible = $evaluator->get_result(); if ($visible != RELOAD) { $parentid = assert_int($parentid); $rs = safe_insert("txp_discuss", "parentid = {$parentid},\n\t\t\t\t\t name\t\t = '{$name}',\n\t\t\t\t\t email\t = '{$email}',\n\t\t\t\t\t web\t\t = '{$web}',\n\t\t\t\t\t ip\t\t = '" . doSlash($ip) . "',\n\t\t\t\t\t message = '{$message2db}',\n\t\t\t\t\t visible = " . intval($visible) . ",\n\t\t\t\t\t posted\t = now()"); if ($rs) { safe_update("txp_discuss_nonce", "used = 1", "nonce='" . doSlash($nonce) . "'"); if ($prefs['comment_means_site_updated']) { update_lastmod(); } if ($comments_sendmail) { mail_comment($message, $name, $email, $web, $parentid, $rs); } $updated = update_comments_count($parentid); $backpage = substr($backpage, 0, $prefs['max_url_len']); $backpage = preg_replace("/[\n\r#].*\$/s", '', $backpage); $backpage = preg_replace("#(https?://[^/]+)/.*\$#", "\$1", hu) . $backpage; if (defined('PARTLY_MESSY') and PARTLY_MESSY) { $backpage = permlinkurl_id($parentid); } $backpage .= (strstr($backpage, '?') ? '&' : '?') . 'commented=' . ($visible == VISIBLE ? '1' : '0'); txp_status_header('302 Found'); if ($comments_moderate) { header('Location: ' . $backpage . '#txpCommentInputForm'); } else { header('Location: ' . $backpage . '#c' . sprintf("%06s", $rs)); } log_hit('302'); $evaluator->write_trace(); exit; } } } // Force another Preview $_POST['preview'] = RELOAD; //$evaluator->write_trace(); }
// Should be username:hash:salt $cookie = explode(':', $_COOKIE[$config['cookies']['mod']]); if (count($cookie) != 3) { // Malformed cookies destroyCookies(); mod_login(); exit; } $query = prepare("SELECT `id`, `type`, `boards`, `password` FROM ``mods`` WHERE `username` = :username"); $query->bindValue(':username', $cookie[0]); $query->execute() or error(db_error($query)); $user = $query->fetch(PDO::FETCH_ASSOC); // validate password hash if ($cookie[1] !== mkhash($cookie[0], $user['password'], $cookie[2])) { // Malformed cookies destroyCookies(); mod_login(); exit; } $mod = array('id' => $user['id'], 'type' => $user['type'], 'username' => $cookie[0], 'boards' => explode(',', $user['boards'])); } function create_pm_header() { global $mod, $config; if ($config['cache']['enabled'] && ($header = cache::get('pm_unread_' . $mod['id'])) != false) { if ($header === true) { return false; } return $header; } $query = prepare("SELECT `id` FROM ``pms`` WHERE `to` = :id AND `unread` = 1");
function commentForm($id, $atts = NULL) { global $prefs; extract($prefs); extract(lAtts(array('isize' => '25', 'msgrows' => '5', 'msgcols' => '25', 'msgstyle' => '', 'form' => 'comment_form'), $atts)); $namewarn = ''; $emailwarn = ''; $commentwarn = ''; $name = pcs('name'); $email = pcs('email'); $web = pcs('web'); extract(doStripTags(doDeEnt(psa(array('remember', 'forget', 'parentid', 'preview', 'message', 'submit', 'backpage'))))); if ($preview) { $name = ps('name'); $email = ps('email'); $web = ps('web'); $nonce = md5(uniqid(rand(), true)); $secret = md5(uniqid(rand(), true)); safe_insert("txp_discuss_nonce", "issue_time=now(), nonce='{$nonce}', secret='{$secret}'"); $namewarn = $comments_require_name ? !trim($name) ? gTxt('comment_name_required') . br : '' : ''; $emailwarn = $comments_require_email ? !trim($email) ? gTxt('comment_email_required') . br : '' : ''; $commentwarn = !trim($message) ? gTxt('comment_required') . br : ''; } // If the form fields are filled (anything other than blank), pages // really should not be saved by a public cache. rfc2616/14.9.1 if ($name || $email || $web) { header('Cache-Control: private'); } $parentid = !$parentid ? $id : $parentid; if (pcs('name') || pcs('email') || pcs('web')) { // Form-input different from Cookie, let's update the Cookie. if (cs('name') != ps('name') or cs('email') != ps('email') or cs('web') != ps('web')) { } $remember = 1; } if ($remember == 1) { setCookies($name, $email, $web); } if ($forget == 1) { destroyCookies(); } $out = '<form method="post" action="#cpreview" id="txpCommentInputForm">'; $Form = fetch('Form', 'txp_form', 'name', $form); $msgstyle = $msgstyle ? ' style="' . $msgstyle . '"' : ''; $msgrows = ($msgrows and is_numeric($msgrows)) ? ' rows="' . intval($msgrows) . '"' : ''; $msgcols = ($msgcols and is_numeric($msgcols)) ? ' cols="' . intval($msgcols) . '"' : ''; $textarea = '<textarea class="txpCommentInputMessage" name="message"' . $msgcols . $msgrows . $msgstyle . ' tabindex="1">' . htmlspecialchars($message) . '</textarea>'; $comment_submit_button = $preview ? fInput('submit', 'submit', gTxt('submit'), 'button') : ''; $checkbox = !empty($_COOKIE['txp_name']) ? checkbox('forget', 1, 0) . gTxt('forget') : checkbox('remember', 1, 1) . gTxt('remember'); $vals = array('comment_name_input' => $namewarn . input('text', 'name', $name, $isize, 'comment_name_input', "2"), 'comment_email_input' => $emailwarn . input('text', 'email', $email, $isize, 'comment_email_input', "3"), 'comment_web_input' => input('text', 'web', $web, $isize, 'comment_web_input', "4"), 'comment_message_input' => $commentwarn . $textarea, 'comment_remember' => $checkbox, 'comment_preview' => input('submit', 'preview', gTxt('preview'), 'comment_preview', 'button'), 'comment_submit' => $comment_submit_button); foreach ($vals as $a => $b) { $Form = str_replace('<txp:' . $a . ' />', $b, $Form); } $form = parse($Form); $out .= $form; $out .= graf(fInput('hidden', 'parentid', $parentid)); $out .= $preview ? hInput('nonce', $nonce) : ''; $out .= !$preview ? graf(fInput('hidden', 'backpage', serverset("REQUEST_URI"))) : graf(fInput('hidden', 'backpage', $backpage)); $out .= '</form>'; return $out; }
function mod_logout() { global $config; destroyCookies(); header('Location: ?/', true, $config['redirect_http']); }
function check_login($prompt = false) { global $config, $mod; // Validate session if (isset($_COOKIE[$config['cookies']['mod']])) { // Should be username:hash:salt $cookie = explode(':', $_COOKIE[$config['cookies']['mod']]); if (count($cookie) != 3) { // Malformed cookies destroyCookies(); if ($prompt) { mod_login(); } exit; } $query = prepare("SELECT `id`, `type`, `boards`, `password` FROM ``mods`` WHERE `username` = :username"); $query->bindValue(':username', $cookie[0]); $query->execute() or error(db_error($query)); $user = $query->fetch(PDO::FETCH_ASSOC); // validate password hash if ($cookie[1] !== mkhash($cookie[0], $user['password'], $cookie[2])) { // Malformed cookies destroyCookies(); if ($prompt) { mod_login(); } exit; } $mod = array('id' => $user['id'], 'type' => $user['type'], 'username' => $cookie[0], 'boards' => explode(',', $user['boards'])); } if ($config['debug']) { $parse_start_time = microtime(true); } // Fix for magic quotes if (get_magic_quotes_gpc()) { function strip_array($var) { return is_array($var) ? array_map('strip_array', $var) : stripslashes($var); } $_GET = strip_array($_GET); $_POST = strip_array($_POST); } }
function commentForm($id, $atts = NULL) { global $prefs; extract($prefs); extract(lAtts(array('isize' => '25', 'msgrows' => '5', 'msgcols' => '25', 'msgstyle' => '', 'form' => 'comment_form'), $atts)); $namewarn = false; $emailwarn = false; $commentwarn = false; $name = pcs('name'); $email = clean_url(pcs('email')); $web = clean_url(pcs('web')); extract(doStripTags(doDeEnt(psa(array('remember', 'forget', 'parentid', 'preview', 'message', 'submit', 'backpage'))))); if ($preview) { $name = ps('name'); $email = clean_url(ps('email')); $web = clean_url(ps('web')); $nonce = getNextNonce(); $secret = getNextSecret(); safe_insert("txp_discuss_nonce", "issue_time=now(), nonce='{$nonce}', secret='{$secret}'"); $namewarn = $comments_require_name && !trim($name); $emailwarn = $comments_require_email && !trim($email); $commentwarn = !trim($message); $evaluator =& get_comment_evaluator(); if ($namewarn) { $evaluator->add_estimate(RELOAD, 1, gTxt('comment_name_required')); } if ($emailwarn) { $evaluator->add_estimate(RELOAD, 1, gTxt('comment_email_required')); } if ($commentwarn) { $evaluator->add_estimate(RELOAD, 1, gTxt('comment_required')); } } // If the form fields are filled (anything other than blank), pages // really should not be saved by a public cache. rfc2616/14.9.1 if ($name || $email || $web) { header('Cache-Control: private'); } $parentid = !$parentid ? $id : $parentid; if (pcs('name') || pcs('email') || pcs('web')) { // Form-input different from Cookie, let's update the Cookie. if (cs('name') != ps('name') or cs('email') != ps('email') or cs('web') != ps('web')) { } $remember = 1; } if ($remember == 1) { setCookies($name, $email, $web); } if ($forget == 1) { destroyCookies(); } $url = $GLOBALS['pretext']['request_uri']; // Experimental clean urls with only 404-error-document on apache // possibly requires messy urls for POST requests. if (defined('PARTLY_MESSY') and PARTLY_MESSY) { $url = hu . '?id=' . intval($parentid); } $out = '<form method="post" action="' . $url . '#cpreview" id="txpCommentInputForm">'; $Form = fetch('Form', 'txp_form', 'name', $form); $msgstyle = $msgstyle ? ' style="' . $msgstyle . '"' : ''; $msgrows = ($msgrows and is_numeric($msgrows)) ? ' rows="' . intval($msgrows) . '"' : ''; $msgcols = ($msgcols and is_numeric($msgcols)) ? ' cols="' . intval($msgcols) . '"' : ''; $textarea = '<textarea class="txpCommentInputMessage' . ($commentwarn ? ' comments_error"' : '"') . ' name="message" id="message" ' . $msgcols . $msgrows . $msgstyle . '>' . htmlspecialchars($message) . '</textarea>'; $comment_submit_button = $preview ? fInput('submit', 'submit', gTxt('submit'), 'button') : ''; $checkbox = !empty($_COOKIE['txp_name']) ? checkbox('forget', 1, 0) . tag(gTxt('forget'), 'label', ' for="forget"') : checkbox('remember', 1, 1) . tag(gTxt('remember'), 'label', ' for="remember"'); $vals = array('comment_name_input' => input('text', 'name', htmlspecialchars($name), $isize, 'comment_name_input' . ($namewarn ? ' comments_error' : ''), ""), 'comment_email_input' => input('text', 'email', htmlspecialchars($email), $isize, 'comment_email_input' . ($emailwarn ? ' comments_error' : ''), ""), 'comment_web_input' => input('text', 'web', htmlspecialchars($web), $isize, 'comment_web_input', ""), 'comment_message_input' => $textarea . '<!-- plugin-place-holder -->', 'comment_remember' => $checkbox, 'comment_preview' => input('submit', 'preview', gTxt('preview'), '', 'button'), 'comment_submit' => $comment_submit_button); foreach ($vals as $a => $b) { $Form = str_replace('<txp:' . $a . ' />', $b, $Form); } $form = parse($Form); $out .= $form; $out .= fInput('hidden', 'parentid', $parentid); $split = rand(1, 31); $out .= $preview ? hInput(substr($nonce, 0, $split), substr($nonce, $split)) : ''; $out .= !$preview ? fInput('hidden', 'backpage', serverset("REQUEST_URI")) : fInput('hidden', 'backpage', $backpage); $out = substr_replace($out, callback_event('comment.form'), strpos($out, '<!-- plugin-place-holder -->'), strlen('<!-- plugin-place-holder -->')); $out .= '</form>'; return $out; }
function commentForm($id) { global $txpac; $namewarn = ''; $emailwarn = ''; $commentwarn = ''; $name = pcs('name'); $email = pcs('email'); $web = pcs('web'); extract(psa(array('remember', 'forget', 'parentid', 'preview', 'message', 'submit', 'backpage'))); if ($preview) { $name = ps('name'); $email = ps('email'); $web = ps('web'); $nonce = md5(uniqid(rand(), true)); safe_insert("txp_discuss_nonce", "issue_time=now(), nonce='{$nonce}'"); $namewarn = $txpac['comments_require_name'] ? !trim($name) ? gTxt('comment_name_required') . br : '' : ''; $emailwarn = $txpac['comments_require_email'] ? !trim($email) ? gTxt('comment_email_required') . br : '' : ''; $commentwarn = !trim($message) ? gTxt('comment_required') . br : ''; } $parentid = !$parentid ? $id : $parentid; if ($remember == 1) { setCookies($name, $email, $web); } if ($forget == 1) { destroyCookies(); } $out = '<form method="post" action="" style="margin-top:2em">'; $form = fetch('Form', 'txp_form', 'name', 'comment_form'); $textarea = '<textarea name="message" cols="1" rows="1" style="width:300px;height:250px" tabindex="4">' . htmlspecialchars($message) . '</textarea>'; $comment_submit_button = $preview ? fInput('submit', 'submit', gTxt('submit'), 'button') : ''; $checkbox = !empty($_COOKIE['txp_name']) ? checkbox('forget', 1, 0) . gTxt('forget') : checkbox('remember', 1, 1) . gTxt('remember'); $vals = array('comment_name_input' => $namewarn . input('text', 'name', $name, "25", '', "1"), 'comment_email_input' => $emailwarn . input('text', 'email', $email, "25", '', "2"), 'comment_web_input' => input('text', 'web', $web, "25", '', "3"), 'comment_message_input' => $commentwarn . $textarea, 'comment_remember' => $checkbox, 'comment_preview' => input('submit', 'preview', gTxt('preview'), '', 'button'), 'comment_submit' => $comment_submit_button); foreach ($vals as $a => $b) { $form = str_replace('<txp:' . $a . ' />', $b, $form); } $form = parse($form); $out .= $form; $out .= graf(fInput('hidden', 'parentid', $parentid)); $out .= $preview ? hInput('nonce', $nonce) : ''; $out .= !$preview ? graf(fInput('hidden', 'backpage', serverset("REQUEST_URI"))) : graf(fInput('hidden', 'backpage', $backpage)); $out .= '</form>'; return $out; }
function comment_remember($atts) { global $thiscommentsform; extract(lAtts(array('rememberlabel' => $thiscommentsform['rememberlabel'], 'forgetlabel' => $thiscommentsform['forgetlabel']), $atts)); extract(doDeEnt(psa(array('checkbox_type', 'remember', 'forget')))); if (!ps('preview')) { $rememberCookie = cs('txp_remember'); if ($rememberCookie === '') { $checkbox_type = 'remember'; $remember = 1; } elseif ($rememberCookie == 1) { $checkbox_type = 'forget'; } else { $checkbox_type = 'remember'; } } if ($checkbox_type == 'forget') { // Inhibit default remember. if ($forget == 1) { destroyCookies(); } $checkbox = checkbox('forget', 1, $forget, '', 'forget') . ' ' . tag(txpspecialchars($forgetlabel), 'label', ' for="forget"'); } else { // Inhibit default remember. if ($remember != 1) { destroyCookies(); } $checkbox = checkbox('remember', 1, $remember, '', 'remember') . ' ' . tag(txpspecialchars($rememberlabel), 'label', ' for="remember"'); } $checkbox .= ' ' . hInput('checkbox_type', $checkbox_type); return $checkbox; }