if ($action == 'authorize') { if (isset($user_id) == false) { show_error_redirect_back('No user_id specified'); } try_mysql_query("UPDATE users SET authorized='1' WHERE user_id='{$user_id}'", $db_write); show_message_redirect_back("User successfully authorized."); } else { if ($action == 'promote') { if (isset($user_id) == false) { show_error_redirect_back('No user_id specified'); } try_mysql_query("UPDATE users SET admin='1' WHERE user_id='{$user_id}'", $db_write); show_message_redirect_back("User successfully granted admin privilidges"); } else { if ($action == 'demote') { if (isset($user_id) == false) { show_error_redirect_back('No user_id specified'); } try_mysql_query("UPDATE users SET admin='0' WHERE user_id='{$user_id}'", $db_write); show_message_redirect_back("User successfully revoked admin privilidges"); } else { show_error_redirect_back("Unknown action"); } } } ?>
# database # header('Pragma: no-cache'); require 'shared.php'; if (isset($_GET['action'])) { $action = $_GET['action']; } if (isset($action) && $action == "logout") { logout(); show_message_redirect_back("Logged out"); } else { $username = mysql_escape_string(htmlentities(trim($_POST['username']))); $password = $_POST['password']; $info = check_login($username, $password); if (!$info) { show_error_redirect_back("Login failed"); } else { show_message_redirect_back("Logged in"); } } # Functions # NOTE: USERNAME HAS TO BE SANITIZED BEFORE ENTERING! function check_login($username, $password, $remember = true) { $db = get_db_read(); # Get the salt and check if the user exists at the same time $result = try_mysql_query("SELECT salt FROM users WHERE username = '******'", $db); if (mysql_num_rows($result) != 1) { return null; } $row = mysql_fetch_assoc($result);
} $ext = get_extension(strtolower($_FILES['file']['name'])); if (!in_array($ext, array("jpeg", "jpg", "png", "gif", "bmp", "tif", "tiff"))) { show_error_redirect_back("Sorry, {$ext} isn't an allowed file type. Allowed extensions are JPEG, JPG, GIF, PNG, BMP, TIF, and TIFF<BR>"); } # Generate the new filename $rand = generate_salt(); $i = 0; do { $newname = $me['username'] . "-" . $rand . "-{$i}.jpeg"; } while (file_exists("{$upload_directory}/{$newname}")); # Copy it into the production folder, however, don't link it to the database yet. resize_and_compress($max_width, $max_height, $jpeg_quality, $_FILES['file']['tmp_name'], "{$upload_directory}/{$newname}"); resize_and_compress($thumbnail_width, $thumbnail_height, $jpeg_quality, $_FILES['file']['tmp_name'], "{$upload_directory}/tn-{$newname}"); # Copy it into the preview folder resize_and_compress($preview_width, $preview_height, 40, $_FILES['file']['tmp_name'], "{$preview_directory}/{$newname}"); # Set the filename in the session, which is used after confirmation $_SESSION['image_filename'] = $newname; # Get the list of categories, for displaying the combobox $categories = get_categories_by_user_id($me['user_id'], true, $db); if (count($categories) == 0) { show_error_redirect_back("You need to create a category first"); } # Display template_display_preview("{$preview_directory}/{$newname}", htmlentities($_FILES['file']['name']), $categories, $me['last_category']); ?>
$pictures_result = try_mysql_query("SELECT * FROM pictures WHERE category_id='{$category_id}'", $db_read); while ($row = mysql_fetch_assoc($pictures_result)) { try_mysql_query("DELETE FROM comments WHERE picture_id='" . $pictures_result['picture_id'] . "'", $db_write); } mysql_free_result($pictures_result); try_mysql_query("DELETE FROM pictures WHERE category_id='{$category_id}'", $db_write); try_mysql_query("DELETE FROM categories WHERE category_id='{$category_id}'", $db_write); show_message_redirect("Category deleted", "show_user.php?user_id=" . $assoc['user_id']); } else { # The user is deleting a picture $picture_id = $_GET['picture_id']; if (is_numeric($picture_id) == false) { redirect_back(); } // Get the category $result = try_mysql_query("SELECT user_id,pictures.category_id FROM categories,pictures WHERE categories.category_id = pictures.category_id AND picture_id = {$picture_id}", $db_read); $assoc = mysql_fetch_assoc($result); mysql_free_result($result); if ($me['admin'] != 1 && $assoc['user_id'] != $me['user_id']) { show_error_redirect_back("Access denied"); } try_mysql_query("DELETE FROM pictures WHERE picture_id = '{$picture_id}'", $db_write); try_mysql_query("DELETE FROM comments WHERE picture_id = '{$picture_id}'", $db_write); show_message_redirect("Picture deleted", "show_category.php?category_id=" . $assoc['category_id']); } ?>
if (isset($_POST['category_id']) == false || is_numeric($_POST['category_id']) == false) { show_error_redirect_back("Error -- category wasn't found"); } $title = mysql_escape_string(htmlentities(trim($_POST['title']))); $caption = mysql_escape_string(nl2br(htmlentities(trim($_POST['caption'])))); $category = get_category_by_category_id($_POST['category_id'], $db_read); if (validate_title($title) == false) { show_error_redirect_back("Invalid title. Titles have to be 0-{$max_length_title} characters."); } if (validate_comment($caption) == false) { show_error_redirect_back("Invalid caption. Captions have to be 0-{$max_length_comment} characters."); } # Make sure he's uploading to his own category $result = try_mysql_query("SELECT * FROM categories WHERE user_id='" . $me['user_id'] . "' AND category_id='" . $category['category_id'] . "'", $db_read); if (mysql_num_rows($result) == 0) { show_error_redirect_back("Invalid category."); } mysql_free_result($result); # Insert the new picture try_mysql_query("INSERT INTO pictures (category_id, title, filename, caption, date_added) VALUES ('" . $category['category_id'] . "', '{$title}', '{$image_filename}', '{$caption}', NOW())", $db_write); $picture_id = mysql_insert_id($db_write); # Update the las modified category (used for the default selection in the category combo) try_mysql_query("UPDATE users SET last_category='" . $category['category_id'] . "' WHERE user_id='" . $me['user_id'] . "'", $db_write); # Update the last modified time for the private user/category try_mysql_query("UPDATE users SET last_updated=NOW() WHERE user_id='" . $me['user_id'] . "'", $db_write); try_mysql_query("UPDATE categories SET last_updated=NOW() WHERE category_id='" . $category['category_id'] . "'", $db_write); # Set the last modified time for the public user/category if ($category['private'] != '1') { try_mysql_query("UPDATE users SET last_updated_public=NOW() WHERE user_id='" . $me['user_id'] . "'", $db_write); try_mysql_query("UPDATE categories SET last_updated_public=NOW() WHERE category_id='" . $category['category_id'] . "'", $db_write); }
# header('Pragma: no-cache'); require_once 'shared.php'; # Make a connection to the database $db_read = get_db_read(); $db_write = get_db_write(); if (!$me) { redirect("index.php"); } if (isset($_POST['category']) == false) { redirect("index.php"); } $category = mysql_escape_string(htmlentities(trim($_POST['category']))); $private = isset($_POST['private']) ? '1' : '0'; if (validate_category($category) == false) { show_error_redirect_back("Please enter a valid category name (between 3 and {$max_length_category} characters)"); } $result = try_mysql_query("SELECT * FROM categories WHERE name = '{$category}' AND user_id = '" . $me['user_id'] . "'", $db_read); if (mysql_num_rows($result) > 0) { show_error_redirect_back('Error: you already have a category with that name!'); } try_mysql_query("INSERT INTO categories (user_id, name, private, date_created, last_updated, last_updated_public) VALUES (" . $me['user_id'] . ", '{$category}', '{$private}', NOW(), 0, 0)", $db_write); $category_id = mysql_insert_id($db_write); try_mysql_query("UPDATE users SET last_category='{$category_id}' WHERE user_id='" . $me['user_id'] . "'", $db_write); show_message_redirect_back("Category successfully created!"); ?>
show_error_redirect_back("Please enter a username made up of 3 - 14 alpha-numeric characters"); } if (validate_password($password) == false) { show_error_redirect_back("Please enter a password that is at least 6 characters (it's for your own protection!)"); } if (validate_email($email) == false) { show_error_redirect_back("Please enter a valid email address"); } # Check if the username is being used $result = try_mysql_query("SELECT * FROM users WHERE username='******'", $db_read); if (mysql_num_rows($result) > 0) { show_error_redirect_back("Sorry, that username is already in use."); } mysql_free_result($result); # Check if the email address is already used $result = try_mysql_query("SELECT * FROM users WHERE email='" . $email . "'", $db_read); if (mysql_num_rows($result) > 0) { show_error_redirect_back("Sorry, that email address is already in use."); } mysql_free_result($result); # Generate the salt and hash the password $salt = generate_salt(); $hashed_password = hash_password($password, $salt); try_mysql_query("INSERT INTO users (username, password, salt, email, date_registered, authorized, admin, last_updated, last_updated_public, notify_comments, notify_pictures) VALUES ('{$username}', '{$hashed_password}', '{$salt}', '{$email}', NOW(), '{$require_authorization}', '{$admin}', '0', '0', '{$notify_comments}', '{$notify_pictures}')", $db_write); show_message_redirect_back("Account created! Please log in."); ?>
# Make a connection to the database $db = get_db_read(); $_SESSION['back'] = $_SERVER['REQUEST_URI']; if (isset($_GET['picture_id']) == false || is_numeric($_GET['picture_id']) == false) { show_error_redirect_back("Invalid picture"); } $picture_id = $_GET['picture_id']; # Get the current picture $picture = get_picture_from_picture_id($picture_id, $db) or show_error_redirect_back("Invalid picture"); # Get the category $category = get_category_by_category_id($picture['category_id'], $db) or show_error_redirect_back("Invalid picture"); # Get the user $user = get_user_by_user_id($category['user_id'], $db) or show_error_redirect_back("Invalid picture"); # Check if the category is private if (!$me && $category['private'] == '1') { show_error_redirect_back("Invalid picture"); } # Get the images in the category $pictures = get_pictures_by_category_id($category['category_id'], $db); $prev_picture = null; $next_picture = null; # Find the next and previous picture $done = false; while (!$done && ($this_picture = array_shift($pictures))) { if ($this_picture['picture_id'] == $picture_id) { if ($this_picture = array_shift($pictures)) { $next_picture = $this_picture; } $done = true; } else { $prev_picture = $this_picture;
# # show_category.php # This shows a list of the pictures in a category. Hopefully, eventually, with # thumbnails. # header('Pragma: no-cache'); require 'shared.php'; $db = get_db_read(); $_SESSION['back'] = $_SERVER['REQUEST_URI']; if (isset($_GET['category_id']) == false || is_numeric($_GET['category_id']) == false) { show_error_redirect_back("No category_id specified"); } $category_id = $_GET['category_id']; $category_information = get_category_by_category_id($category_id, $db); if (!$category_information || !$me && $category_information['private'] != 0) { show_error_redirect_back("invalid category_id"); } $user_information = get_user_by_user_id($category_information['user_id'], $db); # Check if the category is private $pictures = get_pictures_by_category_id($category_id, $db); # Display the table of pictures $new_pictures = array(); foreach ($pictures as $picture) { $picture['url'] = "show_picture.php?picture_id=" . $picture['picture_id']; $picture['picture_url'] = "picture.php?picture_id=" . $picture['picture_id']; $picture['tn_url'] = "picture.php?tn=true&picture_id=" . $picture['picture_id']; $picture['num_comments'] = count(get_comments_by_picture_id($picture['picture_id'], $db)); array_push($new_pictures, $picture); } template_display_picture_list($me, $user_information, $category_information, $new_pictures, $thumbnail_height, $thumbnail_width); ?>