function createShittalkRow($text)
{
$text_escaped = mysql_escape_mimic(strip_double_quotes($text));
$today = mysql_escape_mimic(date("Y-m-d H:i:s"));
$sql = "INSERT INTO `shittalkDB`\n (`text`, `date_created`, `custom`)\n VALUES ('{$text_escaped}', '{$today}', 0);";
$result = mySqlQuery($sql);
return $result;
}
function clean_title(&$title, $key)
{
$title = substr($title, 1, strlen($title) - 2);
$title = urldecode($title);
$title = mysql_escape_mimic($title);
$title = "'" . $title . "'";
return $title;
}
function getUpvotedTextRowsForCfg($limit = 150)
{
$response = [];
$limit_escaped = mysql_escape_mimic($limit);
$sql = "SELECT *, `upvotes` - `downvotes` AS `netVotes` FROM shittalkDB WHERE (`upvotes` - `downvotes`) >= 5 ORDER by `netVotes` DESC LIMIT {$limit_escaped};";
$result = mySqlQuery($sql);
if ($result->num_rows > 0) {
while ($row = $result->fetch_assoc()) {
$response[] = $row['text'];
}
}
return $response;
}
protected static function sanitize($input)
{
# Emails get mutilated here -- let's check that first
$preg = "/[a-z0-9!#\$%&'*+=?^_`{|}~-]+(?:\\.[a-z0-9!#\$%&'*+=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+(?:[a-z]{2}|com|org|net|edu|gov|mil|biz|info|mobi|name|aero|asia|jobs|museum)\\b/";
if (preg_match($preg, $input) === 1) {
# It's an email, let's escape it and be done with it
$output = mysql_escape_mimic($input);
return $output;
}
if (is_array($input)) {
foreach ($input as $var => $val) {
$output[$var] = self::staticSanitize($val);
}
} else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = htmlentities(self::cleanInput($input));
$input = str_replace('_', '_', $input);
// Fix _ potential wildcard
$input = str_replace('%', '%', $input);
// Fix % potential wildcard
$input = str_replace("'", ''', $input);
$input = str_replace('"', '"', $input);
$output = mysql_escape_mimic($input);
}
return $output;
}
function timestampDeletion($count = 0, $downvotes = 0, $upvotes = 0)
{
date_default_timezone_set('America/New_York');
$timestamp = date('Y-m-d G:i:s');
$count_escaped = mysql_escape_mimic($count);
$downvotes_escaped = mysql_escape_mimic($downvotes);
$upvotes_escaped = mysql_escape_mimic($upvotes);
$sql = "UPDATE `timestamps`\n SET uses = uses + 1,\n last_use = '{$timestamp}',\n num_deleted = num_deleted + '{$count_escaped}',\n downvotes_deleted = downvotes_deleted + '{$downvotes_escaped}',\n upvotes_deleted = upvotes_deleted + '{$upvotes_escaped}'\n WHERE `action` = 'delete_Downvoted';";
$result = mySqlQuery($sql);
if ($result === true) {
echo 'Updated timestamp<br />';
} else {
var_dump($result);
}
}
$in = array(&$_GET, &$_POST);
if (get_magic_quotes_gpc()) {
while (list($k, $v) = each($in)) {
foreach ($v as $key => $val) {
if (!is_array($val)) {
$in[$k][mysql_escape_mimic(htmlspecialchars(stripslashes($key), ENT_QUOTES))] = mysql_escape_mimic(htmlspecialchars(stripslashes($val), ENT_QUOTES));
} else {
$in[] =& $in[$k][$key];
}
}
}
} else {
while (list($k, $v) = each($in)) {
foreach ($v as $key => $val) {
if (!is_array($val)) {
$in[$k][mysql_escape_mimic(htmlspecialchars($key, ENT_QUOTES))] = mysql_escape_mimic(htmlspecialchars($val, ENT_QUOTES));
} else {
$in[] =& $in[$k][$key];
}
}
}
}
if (!function_exists('json_encode')) {
function json_encode($a = false)
{
/**
* This function encodes a PHP array into JSON
* Function from php.net by Steve
* Returns: @JSON
*/
if (is_null($a)) {
function chatlog($mysql, $sender, $sendcontent, $replycontent)
{
$query = "INSERT INTO `chatlog` (`id`, `sender`, `sendcontent`, `replycontent`) VALUES (NULL, '" . mysql_escape_mimic($sender) . "', '" . mysql_escape_mimic($sendcontent) . "', '" . mysql_escape_mimic($replycontent) . "');";
$mysql->query($query);
}
function downvoteRow($id)
{
$id_escaped = mysql_escape_mimic($id);
$sql = "UPDATE shittalkDB SET downvotes = downvotes + 1 WHERE `id` = {$id_escaped};";
$result = mySqlQuery($sql);
return $result;
}
<?php
include_once 'funciones.php';
if (isset($_POST['url'])) {
if (isset($_POST['comentario']) && $_POST['comentario'] !== 'Insertar comentario (indique su correo si es posible)...') {
$comentario =& $_POST['comentario'];
} else {
$comentario = '';
}
$db = new PDO('sqlite:cpanel/avisos.sqlite');
$db->query('INSERT INTO avisos (url, comentario, ip, referer, useragent) VALUES (\'' . mysql_escape_mimic($_POST['url']) . '\', \'' . mysql_escape_mimic($comentario) . '\', \'' . $_SERVER['REMOTE_ADDR'] . '\', \'' . $_SERVER['HTTP_REFERER'] . '\', \'' . $_SERVER['HTTP_USER_AGENT'] . '\');');
}
?>
