<?php // Present a single comment feed in raw html // Used by script.php but can also be used directly if (!isset($sid)) { die('Missing sid'); } require_once 'shared.php'; $site = GetSiteConstants($sid, false); if (urlError) { echo '<div class="commentError">' . urlError . '</div>'; return; } $session = GetSessionConstants(); // Read comments $query = 'SELECT * FROM Comments WHERE SiteID = ' . $sid . ' AND Page = \'' . mysql_real_escape_string($page) . '\' AND VerifiedDate IS NOT NULL ORDER BY CommentDate ASC'; $result = @mysql_query($query) or die(mysql_error()); //Style echo '<style type="text/css">'; require 'comments.css'; echo '</style>'; //Feed icon echo '<div class="commentFeed"><a href="' . service_url . '/inc/' . $sid . '/' . str_replace('+', '%20', urlencode($page)) . '.xml"><img src="' . service_url . '/feed.png" /></a></div>'; $count = mysql_num_rows($result); if ($count === 0) { echo '<p>No comments</p>'; } elseif ($count === 1) { echo '<p>One comment</p>';
<?php require_once "shared.php"; $session = GetSessionConstants() or die('No session'); $cid = intval($_GET['cid']); $action = $_GET['action']; //Get comment to do the action on $res = @mysql_query('SELECT * FROM Comments WHERE CommentID=' . $cid) or die('<div class="commentError">' . mysql_error() . '</div>'); $c = mysql_fetch_assoc($res) or die('<div class="commentError">No comment with id ' . $cid . '</div>'); //DELETE if ($action === 'delete') { //Delete unverified comment as poster $res = @mysql_query('DELETE FROM Comments WHERE CommentID=' . $cid . ' AND CommentEmail=\'' . mysql_real_escape_string($session['Email']) . '\' AND VerifiedIP IS NULL ') or die('<div class="commentError">' . mysql_error() . '</div>'); if (mysql_affected_rows() === 1) { //no need to update since the comment was not verified before, hence not visible header('Location: ' . service_url . '/dashboard/'); return; } //Delete as site admin $res = mysql_query(' SELECT Sites.AdminEmail, Sites.SiteID FROM Sites JOIN Comments ON Comments.SiteID=Sites.SiteID WHERE Comments.CommentID=' . $cid) or die('<div class="commentError">' . mysql_error() . '</div>'); $row = mysql_fetch_assoc($res) or die('<div class="commentError">No comment found.</div>'); if ($row['AdminEmail'] != $session['Email']) { die('<div class="commentError">No comment found.</div>');