function insert_user_comment_guestbook(&$comm, $key) { global $conf, $user, $page; $comm = array_merge($comm, array('ip' => $_SERVER['REMOTE_ADDR'], 'agent' => $_SERVER['HTTP_USER_AGENT'])); if (!$conf['guestbook']['comments_validation'] or is_admin()) { $comment_action = 'validate'; } else { $comment_action = 'moderate'; } // author if (!is_classic_user()) { if (empty($comm['author'])) { $page['errors'][] = l10n('Please enter your username'); $comment_action = 'reject'; } else { $comm['author_id'] = $conf['guest_id']; // if a guest try to use the name of an already existing user, // he must be rejected $query = ' SELECT COUNT(*) AS user_exists FROM ' . USERS_TABLE . ' WHERE ' . $conf['user_fields']['username'] . " = '" . addslashes($comm['author']) . "'\n;"; $row = pwg_db_fetch_assoc(pwg_query($query)); if ($row['user_exists'] == 1) { $page['errors'][] = l10n('This login is already used by another user'); $comment_action = 'reject'; } } } else { $comm['author'] = addslashes($user['username']); $comm['author_id'] = $user['id']; } // content if (empty($comm['content'])) { $comment_action = 'reject'; } // key if (!verify_ephemeral_key(@$key)) { $comment_action = 'reject'; $_POST['cr'][] = 'key'; } // email if (empty($comm['email']) and is_classic_user() and !empty($user['email'])) { $comm['email'] = $user['email']; } else { if (empty($comm['email']) and $conf['comments_email_mandatory']) { $page['errors'][] = l10n('mail address must be like xxx@yyy.eee (example : jack@altern.org)'); $comment_action = 'reject'; } else { if (!empty($comm['email']) and !email_check_format($comm['email'])) { $page['errors'][] = l10n('mail address must be like xxx@yyy.eee (example : jack@altern.org)'); $comment_action = 'reject'; } } } // website if (!empty($comm['website'])) { $comm['website'] = strip_tags($comm['website']); if (!preg_match('/^(https?:\\/\\/)/i', $comm['website'])) { $comm['website'] = 'http://' . $comm['website']; } if (!url_check_format($comm['website'])) { $page['errors'][] = l10n('invalid website address'); $comment_action = 'reject'; } } // anonymous id = ip address $ip_components = explode('.', $_SERVER["REMOTE_ADDR"]); if (count($ip_components) > 3) { array_pop($ip_components); } $comm['anonymous_id'] = implode('.', $ip_components); // comment validation and anti-spam if ($comment_action != 'reject' and $conf['anti-flood_time'] > 0 and !is_admin()) { $reference_date = pwg_db_get_flood_period_expression($conf['anti-flood_time']); $query = ' SELECT COUNT(1) FROM ' . GUESTBOOK_TABLE . ' WHERE date > ' . $reference_date . ' AND author_id = ' . $comm['author_id']; if (!is_classic_user()) { $query .= ' AND anonymous_id = "' . $comm['anonymous_id'] . '"'; } $query .= ' ;'; list($counter) = pwg_db_fetch_row(pwg_query($query)); if ($counter > 0) { $page['errors'][] = l10n('Anti-flood system : please wait for a moment before trying to post another comment'); $comment_action = 'reject'; } } // perform more spam check $comment_action = trigger_change('user_comment_check', $comment_action, $comm, 'guestbook'); if ($comment_action != 'reject') { $query = ' INSERT INTO ' . GUESTBOOK_TABLE . '( author, author_id, anonymous_id, content, date, validated, validation_date, website, rate, email ) VALUES ( \'' . $comm['author'] . '\', ' . $comm['author_id'] . ', \'' . $comm['anonymous_id'] . '\', \'' . $comm['content'] . '\', NOW(), \'' . ($comment_action == 'validate' ? 'true' : 'false') . '\', ' . ($comment_action == 'validate' ? 'NOW()' : 'NULL') . ', ' . (!empty($comm['website']) ? '\'' . $comm['website'] . '\'' : 'NULL') . ', ' . (!empty($comm['rate']) ? $comm['rate'] : 'NULL') . ', ' . (!empty($comm['email']) ? '\'' . $comm['email'] . '\'' : 'NULL') . ' ) '; pwg_query($query); $comm['id'] = pwg_db_insert_id(GUESTBOOK_TABLE); if ($conf['guestbook']['email_admin_on_comment'] and 'validate' == $comment_action or $conf['guestbook']['email_admin_on_comment_validation'] and 'moderate' == $comment_action) { include_once PHPWG_ROOT_PATH . 'include/functions_mail.inc.php'; $comment_url = add_url_params(GUESTBOOK_URL, array('comment_id' => $comm['id'])); $keyargs_content = array(get_l10n_args('Author: %s', stripslashes($comm['author'])), get_l10n_args('Comment: %s', stripslashes($comm['content'])), get_l10n_args('', ''), get_l10n_args('Manage this user comment: %s', $comment_url)); if ('moderate' == $comment_action) { $keyargs_content[] = get_l10n_args('', ''); $keyargs_content[] = get_l10n_args('(!) This comment requires validation', ''); } pwg_mail_notification_admins(get_l10n_args('Comment by %s', stripslashes($comm['author'])), $keyargs_content); } } return $comment_action; }
/** * Creates a new user. * * @param string $login * @param string $password * @param string $mail_adress * @param bool $notify_admin * @param array &$errors populated with error messages * @param bool $notify_user * @return int|false user id or false */ function register_user($login, $password, $mail_address, $notify_admin = true, &$errors = array(), $notify_user = false) { global $conf; if ($login == '') { $errors[] = l10n('Please, enter a login'); } if (preg_match('/^.* $/', $login)) { $errors[] = l10n('login mustn\'t end with a space character'); } if (preg_match('/^ .*$/', $login)) { $errors[] = l10n('login mustn\'t start with a space character'); } if (get_userid($login)) { $errors[] = l10n('this login is already used'); } if ($login != strip_tags($login)) { $errors[] = l10n('html tags are not allowed in login'); } $mail_error = validate_mail_address(null, $mail_address); if ('' != $mail_error) { $errors[] = $mail_error; } if ($conf['insensitive_case_logon'] == true) { $login_error = validate_login_case($login); if ($login_error != '') { $errors[] = $login_error; } } $errors = trigger_change('register_user_check', $errors, array('username' => $login, 'password' => $password, 'email' => $mail_address)); // if no error until here, registration of the user if (count($errors) == 0) { $insert = array($conf['user_fields']['username'] => pwg_db_real_escape_string($login), $conf['user_fields']['password'] => $conf['password_hash']($password), $conf['user_fields']['email'] => $mail_address); single_insert(USERS_TABLE, $insert); $user_id = pwg_db_insert_id(); // Assign by default groups $query = ' SELECT id FROM ' . GROUPS_TABLE . ' WHERE is_default = \'' . boolean_to_string(true) . '\' ORDER BY id ASC ;'; $result = pwg_query($query); $inserts = array(); while ($row = pwg_db_fetch_assoc($result)) { $inserts[] = array('user_id' => $user_id, 'group_id' => $row['id']); } if (count($inserts) != 0) { mass_inserts(USER_GROUP_TABLE, array('user_id', 'group_id'), $inserts); } $override = array(); if ($language = get_browser_language()) { $override['language'] = $language; } create_user_infos($user_id, $override); if ($notify_admin and $conf['email_admin_on_new_user']) { include_once PHPWG_ROOT_PATH . 'include/functions_mail.inc.php'; $admin_url = get_absolute_root_url() . 'admin.php?page=user_list&username='******'User: %s', stripslashes($login)), get_l10n_args('Email: %s', $mail_address), get_l10n_args(''), get_l10n_args('Admin: %s', $admin_url)); pwg_mail_notification_admins(get_l10n_args('Registration of %s', stripslashes($login)), $keyargs_content); } if ($notify_user and email_check_format($mail_address)) { include_once PHPWG_ROOT_PATH . 'include/functions_mail.inc.php'; $keyargs_content = array(get_l10n_args('Hello %s,', stripslashes($login)), get_l10n_args('Thank you for registering at %s!', $conf['gallery_title']), get_l10n_args('', ''), get_l10n_args('Here are your connection settings', ''), get_l10n_args('', ''), get_l10n_args('Link: %s', get_absolute_root_url()), get_l10n_args('Username: %s', stripslashes($login)), get_l10n_args('Password: %s', stripslashes($password)), get_l10n_args('Email: %s', $mail_address), get_l10n_args('', ''), get_l10n_args('If you think you\'ve received this email in error, please contact us at %s', get_webmaster_mail_address())); pwg_mail($mail_address, array('subject' => '[' . $conf['gallery_title'] . '] ' . l10n('Registration'), 'content' => l10n_args($keyargs_content), 'content_format' => 'text/plain')); } trigger_notify('register_user', array('id' => $user_id, 'username' => $login, 'email' => $mail_address)); return $user_id; } else { return false; } }
/** * Tries to insert a user comment and returns action to perform. * * @param array &$comm * @param string $key secret key sent back to the browser * @param array &$infos output array of error messages * @return string validate, moderate, reject */ function insert_user_comment(&$comm, $key, &$infos) { global $conf, $user; $comm = array_merge($comm, array('ip' => $_SERVER['REMOTE_ADDR'], 'agent' => $_SERVER['HTTP_USER_AGENT'])); $infos = array(); if (!$conf['comments_validation'] or is_admin()) { $comment_action = 'validate'; //one of validate, moderate, reject } else { $comment_action = 'moderate'; //one of validate, moderate, reject } // display author field if the user status is guest or generic if (!is_classic_user()) { if (empty($comm['author'])) { if ($conf['comments_author_mandatory']) { $infos[] = l10n('Username is mandatory'); $comment_action = 'reject'; } $comm['author'] = 'guest'; } $comm['author_id'] = $conf['guest_id']; // if a guest try to use the name of an already existing user, he must be // rejected if ($comm['author'] != 'guest') { $query = ' SELECT COUNT(*) AS user_exists FROM ' . USERS_TABLE . ' WHERE ' . $conf['user_fields']['username'] . " = '" . addslashes($comm['author']) . "'"; $row = pwg_db_fetch_assoc(pwg_query($query)); if ($row['user_exists'] == 1) { $infos[] = l10n('This login is already used by another user'); $comment_action = 'reject'; } } } else { $comm['author'] = addslashes($user['username']); $comm['author_id'] = $user['id']; } if (empty($comm['content'])) { // empty comment content $comment_action = 'reject'; } if (!verify_ephemeral_key(@$key, $comm['image_id'])) { $comment_action = 'reject'; $_POST['cr'][] = 'key'; // rvelices: I use this outside to see how spam robots work } // website if (!empty($comm['website_url'])) { if (!$conf['comments_enable_website']) { // honeypot: if the field is disabled, it should be empty ! $comment_action = 'reject'; $_POST['cr'][] = 'website_url'; } else { $comm['website_url'] = strip_tags($comm['website_url']); if (!preg_match('/^https?/i', $comm['website_url'])) { $comm['website_url'] = 'http://' . $comm['website_url']; } if (!url_check_format($comm['website_url'])) { $infos[] = l10n('Your website URL is invalid'); $comment_action = 'reject'; } } } // email if (empty($comm['email'])) { if (!empty($user['email'])) { $comm['email'] = $user['email']; } elseif ($conf['comments_email_mandatory']) { $infos[] = l10n('Email address is missing. Please specify an email address.'); $comment_action = 'reject'; } } elseif (!email_check_format($comm['email'])) { $infos[] = l10n('mail address must be like xxx@yyy.eee (example : jack@altern.org)'); $comment_action = 'reject'; } // anonymous id = ip address $ip_components = explode('.', $comm['ip']); if (count($ip_components) > 3) { array_pop($ip_components); } $anonymous_id = implode('.', $ip_components); if ($comment_action != 'reject' and $conf['anti-flood_time'] > 0 and !is_admin()) { // anti-flood system $reference_date = pwg_db_get_flood_period_expression($conf['anti-flood_time']); $query = ' SELECT count(1) FROM ' . COMMENTS_TABLE . ' WHERE date > ' . $reference_date . ' AND author_id = ' . $comm['author_id']; if (!is_classic_user()) { $query .= ' AND anonymous_id LIKE "' . $anonymous_id . '.%"'; } $query .= ' ;'; list($counter) = pwg_db_fetch_row(pwg_query($query)); if ($counter > 0) { $infos[] = l10n('Anti-flood system : please wait for a moment before trying to post another comment'); $comment_action = 'reject'; $_POST['cr'][] = 'flood_time'; } } // perform more spam check $comment_action = trigger_change('user_comment_check', $comment_action, $comm); if ($comment_action != 'reject') { $query = ' INSERT INTO ' . COMMENTS_TABLE . ' (author, author_id, anonymous_id, content, date, validated, validation_date, image_id, website_url, email) VALUES ( \'' . $comm['author'] . '\', ' . $comm['author_id'] . ', \'' . $comm['ip'] . '\', \'' . $comm['content'] . '\', NOW(), \'' . ($comment_action == 'validate' ? 'true' : 'false') . '\', ' . ($comment_action == 'validate' ? 'NOW()' : 'NULL') . ', ' . $comm['image_id'] . ', ' . (!empty($comm['website_url']) ? '\'' . $comm['website_url'] . '\'' : 'NULL') . ', ' . (!empty($comm['email']) ? '\'' . $comm['email'] . '\'' : 'NULL') . ' ) '; pwg_query($query); $comm['id'] = pwg_db_insert_id(COMMENTS_TABLE); invalidate_user_cache_nb_comments(); if ($conf['email_admin_on_comment'] && 'validate' == $comment_action or $conf['email_admin_on_comment_validation'] and 'moderate' == $comment_action) { include_once PHPWG_ROOT_PATH . 'include/functions_mail.inc.php'; $comment_url = get_absolute_root_url() . 'comments.php?comment_id=' . $comm['id']; $keyargs_content = array(get_l10n_args('Author: %s', stripslashes($comm['author'])), get_l10n_args('Email: %s', stripslashes($comm['email'])), get_l10n_args('Comment: %s', stripslashes($comm['content'])), get_l10n_args(''), get_l10n_args('Manage this user comment: %s', $comment_url)); if ('moderate' == $comment_action) { $keyargs_content[] = get_l10n_args('(!) This comment requires validation'); } pwg_mail_notification_admins(get_l10n_args('Comment by %s', stripslashes($comm['author'])), $keyargs_content); } } return $comment_action; }
} if (empty($_POST['password'])) { $page['errors'][] = l10n('Password is missing. Please enter the password.'); } else { if (empty($_POST['password_conf'])) { $page['errors'][] = l10n('Password confirmation is missing. Please confirm the chosen password.'); } else { if ($_POST['password'] != $_POST['password_conf']) { $page['errors'][] = l10n('The passwords do not match'); } } } register_user($_POST['login'], $_POST['password'], $_POST['mail_address'], true, $page['errors'], isset($_POST['send_password_by_mail'])); if (count($page['errors']) == 0) { // email notification if (isset($_POST['send_password_by_mail']) and email_check_format($_POST['mail_address'])) { $_SESSION['page_infos'][] = l10n('Successfully registered, you will soon receive an email with your connection settings. Welcome!'); } // log user and redirect $user_id = get_userid($_POST['login']); log_user($user_id, false); redirect(make_index_url()); } $registration_post_key = get_ephemeral_key(2); } else { $registration_post_key = get_ephemeral_key(6); } $login = !empty($_POST['login']) ? htmlspecialchars(stripslashes($_POST['login'])) : ''; $email = !empty($_POST['mail_address']) ? htmlspecialchars(stripslashes($_POST['mail_address'])) : ''; //----------------------------------------------------- template initialization //
function ws_pshare_share_create($params, &$service) { global $conf, $user; if (!pshare_is_active()) { return new PwgError(401, "permission denied"); } $query = ' SELECT * FROM ' . IMAGES_TABLE . ' WHERE id = ' . $params['image_id'] . ' ;'; $images = query2array($query); if (count($images) == 0) { return new PwgError(404, "image not found"); } $image = $images[0]; if (!pshare_is_photo_visible($params['image_id'])) { return new PwgError(401, "permissions denied"); } if (!email_check_format($params['email'])) { return new PwgError(WS_ERR_INVALID_PARAM, l10n('Invalid email address')); } // TODO check the expires_in is in the defined list $query = ' SELECT NOW(), ADDDATE(NOW(), INTERVAL ' . $params['expires_in'] . ' DAY) ;'; list($now, $expire) = pwg_db_fetch_row(pwg_query($query)); $key_uuid = pshare_get_key(); single_insert(PSHARE_KEYS_TABLE, array('uuid' => $key_uuid, 'user_id' => $user['id'], 'image_id' => $params['image_id'], 'sent_to' => $params['email'], 'created_on' => $now, 'duration' => $params['expires_in'], 'expire_on' => $expire)); $query = ' SELECT * FROM ' . PSHARE_KEYS_TABLE . ' WHERE uuid = \'' . $key_uuid . '\' ;'; $shares = query2array($query); if (count($shares) == 0) { return new PwgError(500, "share not created"); } $share = $shares[0]; // // Send the email // include_once PHPWG_ROOT_PATH . 'include/functions_mail.inc.php'; // force $conf['derivative_url_style'] to 2 (script) to make sure we // will use i.php?/upload and not _data/i/upload because you don't // know when the cache will be flushed $previous_derivative_url_style = $conf['derivative_url_style']; $conf['derivative_url_style'] = 2; $thumb_url = DerivativeImage::thumb_url(array('id' => $image['id'], 'path' => $image['path'])); // restore configuration setting $conf['derivative_url_style'] = $previous_derivative_url_style; $link = get_absolute_root_url() . 'index.php?/pshare/' . $share['uuid']; $content = '<p style="text-align:center">'; $content .= l10n('%s has shared a photo with you', $user['username']); $content .= '<br><br><a href="' . $link . '"><img src="' . $thumb_url . '"></a>'; $content .= '<br><br><a href="' . $link . '">' . l10n('clic to view') . '</a>'; $content .= '</p>'; $subject = l10n('Photo shared'); pwg_mail($params['email'], array('subject' => '[' . $conf['gallery_title'] . '] ' . $subject, 'mail_title' => $conf['gallery_title'], 'mail_subtitle' => $subject, 'content' => $content, 'content_format' => 'text/html')); return array('message' => l10n('Email sent to %s', $share['sent_to'])); }