$e->croak(); } exit; } /** * * Add comment * */ if ($_SERVER['REQUEST_METHOD'] == 'POST' && $do_action == 'add-comment' && $_POST['verification'] == $_SESSION['ccms_captcha'] && !empty($_SESSION['ccms_captcha'])) { $error = ''; $commentName = getPOSTparam4DisplayHTML('name'); $commentEmail = getPOSTparam4Email('email'); $commentUrl = getPOSTparam4URL('website'); $commentRating = getPOSTparam4Number('rating', 3); $commentContent = getPOSTparam4DisplayHTML('comment'); // no need for strip_tags here: 4DisplayHTML already encodes anything that might be dangerous in HTML entities so they show but don't hurt $commentHost = $_SERVER['REMOTE_ADDR']; if (!empty($commentName) && !empty($commentEmail) && !empty($commentRating) && !empty($commentContent) && !empty($commentHost)) { $values = array(); // [i_a] make sure $values is an empty array to start with here $values['page_id'] = MySQL::SQLValue($page_id, MySQL::SQLVALUE_NUMBER); $values['commentName'] = MySQL::SQLValue($commentName, MySQL::SQLVALUE_TEXT); $values['commentEmail'] = MySQL::SQLValue($commentEmail, MySQL::SQLVALUE_TEXT); $values['commentUrl'] = MySQL::SQLValue($commentUrl, MySQL::SQLVALUE_TEXT); $values['commentRate'] = MySQL::SQLValue($commentRating, MySQL::SQLVALUE_ENUMERATE); // 'note the 'tricky' comment in the MySQL::SQLValue() member: we MUST have quotes around this number as mySQL enums are quoted :-( $values['commentContent'] = MySQL::SQLValue($commentContent, MySQL::SQLVALUE_TEXT); $values['commentHost'] = MySQL::SQLValue($commentHost, MySQL::SQLVALUE_TEXT); // Insert new page into database if (!$db->InsertRow($cfg['db_prefix'] . 'modcomment', $values)) {
} /** * * Apply album to page * */ if ($_SERVER['REQUEST_METHOD'] == 'POST' && $do_action == 'apply-album') { FbX::SetFeedbackLocation('lightbox.Manage.php', 'page_id=' . $page_id); try { if (!empty($album_name)) { FbX::SetFeedbackLocation('lightbox.Manage.php', 'page_id=' . $page_id . '&album=' . $album_name); // Only if current user has the rights if ($perm->is_level_okay('manageModLightbox', $_SESSION['ccms_userLevel'])) { // Posted variables $topage = getPOSTparam4Filename('albumtopage'); $description = getPOSTparam4DisplayHTML('description'); $infofile = BASE_PATH . '/media/albums/' . $album_name . '/info.txt'; if ($handle = fopen($infofile, 'w+')) { if (fwrite($handle, $topage . "\r\n" . $description)) { header('Location: ' . makeAbsoluteURI('lightbox.Manage.php?page_id=' . $page_id . '&album=' . $album_name . '&status=notice&msg=' . rawurlencode($ccms['lang']['backend']['settingssaved']))); exit; } else { throw new FbX($ccms['lang']['system']['error_write']); } } else { throw new FbX($ccms['lang']['system']['error_write']); } } else { throw new FbX($ccms['lang']['auth']['featnotallowed']); } } else {
* * Either INSERT or UPDATE news article * */ if ($_SERVER['REQUEST_METHOD'] == 'POST' && $do_action == 'add-edit-news' && checkAuth()) { FbX::SetFeedbackLocation('news.Manage.php'); try { if (!empty($page_id)) { FbX::SetFeedbackLocation('news.Manage.php', 'page_id=' . $page_id); // Only if current user has the rights if ($perm->is_level_okay('manageModNews', $_SESSION['ccms_userLevel'])) { // Published $newsAuthor = getPOSTparam4Number('newsAuthor'); $newsTitle = getPOSTparam4DisplayHTML('newsTitle'); $newsTeaser = getPOSTparam4DisplayHTML('newsTeaser'); $newsContent = getPOSTparam4DisplayHTML('newsContent'); $newsModified = getPOSTparam4DateTime('newsModified', time()); $newsPublished = getPOSTparam4boolean('newsPublished'); /* make sure empty news posts don't get through! front-end checking alone is NOT enough! */ if (!empty($page_id) && !empty($newsAuthor) && !empty($newsAuthor) && !empty($newsTitle) && strlen($newsTitle) >= 3 && !empty($newsTeaser) && !empty($newsContent)) { // Set all the submitted variables $values = array(); // [i_a] make sure $values is an empty array to start with here $values["userID"] = MySQL::SQLValue($newsAuthor, MySQL::SQLVALUE_NUMBER); $values["page_id"] = MySQL::SQLValue($page_id, MySQL::SQLVALUE_NUMBER); $values["newsTitle"] = MySQL::SQLValue($newsTitle, MySQL::SQLVALUE_TEXT); $values["newsTeaser"] = MySQL::SQLValue($newsTeaser, MySQL::SQLVALUE_TEXT); $values["newsContent"] = MySQL::SQLValue($newsContent, MySQL::SQLVALUE_TEXT); $values["newsModified"] = MySQL::SQLValue($newsModified, MySQL::SQLVALUE_DATETIME); $values["newsPublished"] = MySQL::SQLValue($newsPublished, MySQL::SQLVALUE_BOOLEAN); // Execute either INSERT or UPDATE based on $newsID
$owner = explode('||', strval($row->user_ids)); if ($perm->is_level_okay('managePageEditing', $_SESSION['ccms_userLevel']) && ($row->iscoding != 'Y' || $perm->is_level_okay('managePageCoding', $_SESSION['ccms_userLevel'])) && (!in_array($row->urlpage, $cfg['restrict']) || in_array($_SESSION['ccms_userID'], $owner))) { $active = $row->published; $name = $row->urlpage; if ($row->iscoding == 'Y') { // code pages: only for users with elevated rights, so we're okay with less filtering (none at all, in this case!) $type = 'code'; $content = getPOSTparam4RAWCONTENT('content'); // accept ANYTHING: it's code, so can carry anything, including javascript and PHP code chunks! } else { $type = 'text'; $content = getPOSTparam4RAWHTML('content'); // [i_a] must be RAW HTML, no htmlspecialchars(). Filtering required if malicious input risk expected. } $filename = BASE_PATH . '/content/' . $name . '.php'; $keywords = getPOSTparam4DisplayHTML('keywords'); if (is_writable_ex($filename)) { if (!($handle = fopen($filename, 'w'))) { die('[ERR105] ' . $ccms['lang']['system']['error_openfile'] . ' (' . $filename . ').'); } if (fwrite($handle, $content) === FALSE) { die('[ERR106] ' . $ccms['lang']['system']['error_write'] . ' (' . $filename . ').'); } fclose($handle); } else { die($ccms['lang']['system']['error_chmod']); } // Save keywords to database $values = array(); // [i_a] make sure $values is an empty array to start with here $values['keywords'] = MySQL::SQLValue($keywords, MySQL::SQLVALUE_TEXT);