if ($action == 'authorize') {
if (isset($user_id) == false) {
show_error_redirect_back('No user_id specified');
}
try_mysql_query("UPDATE users SET authorized='1' WHERE user_id='{$user_id}'", $db_write);
show_message_redirect_back("User successfully authorized.");
} else {
if ($action == 'promote') {
if (isset($user_id) == false) {
show_error_redirect_back('No user_id specified');
}
try_mysql_query("UPDATE users SET admin='1' WHERE user_id='{$user_id}'", $db_write);
show_message_redirect_back("User successfully granted admin privilidges");
} else {
if ($action == 'demote') {
if (isset($user_id) == false) {
show_error_redirect_back('No user_id specified');
}
try_mysql_query("UPDATE users SET admin='0' WHERE user_id='{$user_id}'", $db_write);
show_message_redirect_back("User successfully revoked admin privilidges");
} else {
show_error_redirect_back("Unknown action");
}
}
}
?>
# database
#
header('Pragma: no-cache');
require 'shared.php';
if (isset($_GET['action'])) {
$action = $_GET['action'];
}
if (isset($action) && $action == "logout") {
logout();
show_message_redirect_back("Logged out");
} else {
$username = mysql_escape_string(htmlentities(trim($_POST['username'])));
$password = $_POST['password'];
$info = check_login($username, $password);
if (!$info) {
show_error_redirect_back("Login failed");
} else {
show_message_redirect_back("Logged in");
}
}
# Functions
# NOTE: USERNAME HAS TO BE SANITIZED BEFORE ENTERING!
function check_login($username, $password, $remember = true)
{
$db = get_db_read();
# Get the salt and check if the user exists at the same time
$result = try_mysql_query("SELECT salt FROM users WHERE username = '******'", $db);
if (mysql_num_rows($result) != 1) {
return null;
}
$row = mysql_fetch_assoc($result);
}
$ext = get_extension(strtolower($_FILES['file']['name']));
if (!in_array($ext, array("jpeg", "jpg", "png", "gif", "bmp", "tif", "tiff"))) {
show_error_redirect_back("Sorry, {$ext} isn't an allowed file type. Allowed extensions are JPEG, JPG, GIF, PNG, BMP, TIF, and TIFF<BR>");
}
# Generate the new filename
$rand = generate_salt();
$i = 0;
do {
$newname = $me['username'] . "-" . $rand . "-{$i}.jpeg";
} while (file_exists("{$upload_directory}/{$newname}"));
# Copy it into the production folder, however, don't link it to the database yet.
resize_and_compress($max_width, $max_height, $jpeg_quality, $_FILES['file']['tmp_name'], "{$upload_directory}/{$newname}");
resize_and_compress($thumbnail_width, $thumbnail_height, $jpeg_quality, $_FILES['file']['tmp_name'], "{$upload_directory}/tn-{$newname}");
# Copy it into the preview folder
resize_and_compress($preview_width, $preview_height, 40, $_FILES['file']['tmp_name'], "{$preview_directory}/{$newname}");
# Set the filename in the session, which is used after confirmation
$_SESSION['image_filename'] = $newname;
# Get the list of categories, for displaying the combobox
$categories = get_categories_by_user_id($me['user_id'], true, $db);
if (count($categories) == 0) {
show_error_redirect_back("You need to create a category first");
}
# Display
template_display_preview("{$preview_directory}/{$newname}", htmlentities($_FILES['file']['name']), $categories, $me['last_category']);
?>
$pictures_result = try_mysql_query("SELECT * FROM pictures WHERE category_id='{$category_id}'", $db_read);
while ($row = mysql_fetch_assoc($pictures_result)) {
try_mysql_query("DELETE FROM comments WHERE picture_id='" . $pictures_result['picture_id'] . "'", $db_write);
}
mysql_free_result($pictures_result);
try_mysql_query("DELETE FROM pictures WHERE category_id='{$category_id}'", $db_write);
try_mysql_query("DELETE FROM categories WHERE category_id='{$category_id}'", $db_write);
show_message_redirect("Category deleted", "show_user.php?user_id=" . $assoc['user_id']);
} else {
# The user is deleting a picture
$picture_id = $_GET['picture_id'];
if (is_numeric($picture_id) == false) {
redirect_back();
}
// Get the category
$result = try_mysql_query("SELECT user_id,pictures.category_id FROM categories,pictures WHERE categories.category_id = pictures.category_id AND picture_id = {$picture_id}", $db_read);
$assoc = mysql_fetch_assoc($result);
mysql_free_result($result);
if ($me['admin'] != 1 && $assoc['user_id'] != $me['user_id']) {
show_error_redirect_back("Access denied");
}
try_mysql_query("DELETE FROM pictures WHERE picture_id = '{$picture_id}'", $db_write);
try_mysql_query("DELETE FROM comments WHERE picture_id = '{$picture_id}'", $db_write);
show_message_redirect("Picture deleted", "show_category.php?category_id=" . $assoc['category_id']);
}
?>
if (isset($_POST['category_id']) == false || is_numeric($_POST['category_id']) == false) {
show_error_redirect_back("Error -- category wasn't found");
}
$title = mysql_escape_string(htmlentities(trim($_POST['title'])));
$caption = mysql_escape_string(nl2br(htmlentities(trim($_POST['caption']))));
$category = get_category_by_category_id($_POST['category_id'], $db_read);
if (validate_title($title) == false) {
show_error_redirect_back("Invalid title. Titles have to be 0-{$max_length_title} characters.");
}
if (validate_comment($caption) == false) {
show_error_redirect_back("Invalid caption. Captions have to be 0-{$max_length_comment} characters.");
}
# Make sure he's uploading to his own category
$result = try_mysql_query("SELECT * FROM categories WHERE user_id='" . $me['user_id'] . "' AND category_id='" . $category['category_id'] . "'", $db_read);
if (mysql_num_rows($result) == 0) {
show_error_redirect_back("Invalid category.");
}
mysql_free_result($result);
# Insert the new picture
try_mysql_query("INSERT INTO pictures (category_id, title, filename, caption, date_added) VALUES ('" . $category['category_id'] . "', '{$title}', '{$image_filename}', '{$caption}', NOW())", $db_write);
$picture_id = mysql_insert_id($db_write);
# Update the las modified category (used for the default selection in the category combo)
try_mysql_query("UPDATE users SET last_category='" . $category['category_id'] . "' WHERE user_id='" . $me['user_id'] . "'", $db_write);
# Update the last modified time for the private user/category
try_mysql_query("UPDATE users SET last_updated=NOW() WHERE user_id='" . $me['user_id'] . "'", $db_write);
try_mysql_query("UPDATE categories SET last_updated=NOW() WHERE category_id='" . $category['category_id'] . "'", $db_write);
# Set the last modified time for the public user/category
if ($category['private'] != '1') {
try_mysql_query("UPDATE users SET last_updated_public=NOW() WHERE user_id='" . $me['user_id'] . "'", $db_write);
try_mysql_query("UPDATE categories SET last_updated_public=NOW() WHERE category_id='" . $category['category_id'] . "'", $db_write);
}
#
header('Pragma: no-cache');
require_once 'shared.php';
# Make a connection to the database
$db_read = get_db_read();
$db_write = get_db_write();
if (!$me) {
redirect("index.php");
}
if (isset($_POST['category']) == false) {
redirect("index.php");
}
$category = mysql_escape_string(htmlentities(trim($_POST['category'])));
$private = isset($_POST['private']) ? '1' : '0';
if (validate_category($category) == false) {
show_error_redirect_back("Please enter a valid category name (between 3 and {$max_length_category} characters)");
}
$result = try_mysql_query("SELECT * FROM categories WHERE name = '{$category}' AND user_id = '" . $me['user_id'] . "'", $db_read);
if (mysql_num_rows($result) > 0) {
show_error_redirect_back('Error: you already have a category with that name!');
}
try_mysql_query("INSERT INTO categories (user_id, name, private, date_created, last_updated, last_updated_public) VALUES (" . $me['user_id'] . ", '{$category}', '{$private}', NOW(), 0, 0)", $db_write);
$category_id = mysql_insert_id($db_write);
try_mysql_query("UPDATE users SET last_category='{$category_id}' WHERE user_id='" . $me['user_id'] . "'", $db_write);
show_message_redirect_back("Category successfully created!");
?>
show_error_redirect_back("Please enter a username made up of 3 - 14 alpha-numeric characters");
}
if (validate_password($password) == false) {
show_error_redirect_back("Please enter a password that is at least 6 characters (it's for your own protection!)");
}
if (validate_email($email) == false) {
show_error_redirect_back("Please enter a valid email address");
}
# Check if the username is being used
$result = try_mysql_query("SELECT * FROM users WHERE username='******'", $db_read);
if (mysql_num_rows($result) > 0) {
show_error_redirect_back("Sorry, that username is already in use.");
}
mysql_free_result($result);
# Check if the email address is already used
$result = try_mysql_query("SELECT * FROM users WHERE email='" . $email . "'", $db_read);
if (mysql_num_rows($result) > 0) {
show_error_redirect_back("Sorry, that email address is already in use.");
}
mysql_free_result($result);
# Generate the salt and hash the password
$salt = generate_salt();
$hashed_password = hash_password($password, $salt);
try_mysql_query("INSERT INTO users (username, password, salt, email, date_registered, authorized, admin, last_updated, last_updated_public, notify_comments, notify_pictures) VALUES ('{$username}', '{$hashed_password}', '{$salt}', '{$email}', NOW(), '{$require_authorization}', '{$admin}', '0', '0', '{$notify_comments}', '{$notify_pictures}')", $db_write);
show_message_redirect_back("Account created! Please log in.");
?>
# Make a connection to the database
$db = get_db_read();
$_SESSION['back'] = $_SERVER['REQUEST_URI'];
if (isset($_GET['picture_id']) == false || is_numeric($_GET['picture_id']) == false) {
show_error_redirect_back("Invalid picture");
}
$picture_id = $_GET['picture_id'];
# Get the current picture
$picture = get_picture_from_picture_id($picture_id, $db) or show_error_redirect_back("Invalid picture");
# Get the category
$category = get_category_by_category_id($picture['category_id'], $db) or show_error_redirect_back("Invalid picture");
# Get the user
$user = get_user_by_user_id($category['user_id'], $db) or show_error_redirect_back("Invalid picture");
# Check if the category is private
if (!$me && $category['private'] == '1') {
show_error_redirect_back("Invalid picture");
}
# Get the images in the category
$pictures = get_pictures_by_category_id($category['category_id'], $db);
$prev_picture = null;
$next_picture = null;
# Find the next and previous picture
$done = false;
while (!$done && ($this_picture = array_shift($pictures))) {
if ($this_picture['picture_id'] == $picture_id) {
if ($this_picture = array_shift($pictures)) {
$next_picture = $this_picture;
}
$done = true;
} else {
$prev_picture = $this_picture;
#
# show_category.php
# This shows a list of the pictures in a category. Hopefully, eventually, with
# thumbnails.
#
header('Pragma: no-cache');
require 'shared.php';
$db = get_db_read();
$_SESSION['back'] = $_SERVER['REQUEST_URI'];
if (isset($_GET['category_id']) == false || is_numeric($_GET['category_id']) == false) {
show_error_redirect_back("No category_id specified");
}
$category_id = $_GET['category_id'];
$category_information = get_category_by_category_id($category_id, $db);
if (!$category_information || !$me && $category_information['private'] != 0) {
show_error_redirect_back("invalid category_id");
}
$user_information = get_user_by_user_id($category_information['user_id'], $db);
# Check if the category is private
$pictures = get_pictures_by_category_id($category_id, $db);
# Display the table of pictures
$new_pictures = array();
foreach ($pictures as $picture) {
$picture['url'] = "show_picture.php?picture_id=" . $picture['picture_id'];
$picture['picture_url'] = "picture.php?picture_id=" . $picture['picture_id'];
$picture['tn_url'] = "picture.php?tn=true&picture_id=" . $picture['picture_id'];
$picture['num_comments'] = count(get_comments_by_picture_id($picture['picture_id'], $db));
array_push($new_pictures, $picture);
}
template_display_picture_list($me, $user_information, $category_information, $new_pictures, $thumbnail_height, $thumbnail_width);
?>
