$email = $_POST['email']; $website = $_POST['website']; $town = $_POST['town']; $country = $_POST['cmtx_country']; $rating = $_POST['cmtx_rating']; $comment = $_POST['comment']; $reply = $_POST['reply']; $page_id = $_POST['page_id']; $reply_to = $_POST['reply_to']; $is_approved = $_POST['is_approved']; $is_sticky = $_POST['is_sticky']; $is_locked = $_POST['is_locked']; $id_san = cmtx_sanitize($id); $name_san = cmtx_sanitize($name); $email_san = cmtx_sanitize($email); $website_san = cmtx_url_encode_spaces($website); $website_san = cmtx_sanitize($website_san); $town_san = cmtx_sanitize($town); $country_san = cmtx_sanitize($country); $rating_san = cmtx_sanitize($rating); $comment_san = cmtx_sanitize($comment, false, true); $reply_san = cmtx_sanitize($reply, false, true); $page_id_san = cmtx_sanitize($page_id); $reply_to_san = cmtx_sanitize($reply_to); $is_approved_san = cmtx_sanitize($is_approved); $is_sticky_san = cmtx_sanitize($is_sticky); $is_locked_san = cmtx_sanitize($is_locked); if (!$is_approved) { cmtx_unapprove_replies($id); } if (isset($_POST['send']) && $_POST['send'] == "1") {
function cmtx_clean_form_defaults() { //clean default form field values global $cmtx_default_name, $cmtx_default_email, $cmtx_default_website, $cmtx_default_town, $cmtx_default_country, $cmtx_default_rating, $cmtx_default_comment; //globalise variables //remove " character $cmtx_default_name = str_replace('"', '', $cmtx_default_name); $cmtx_default_email = str_replace('"', '', $cmtx_default_email); $cmtx_default_website = str_replace('"', '', $cmtx_default_website); $cmtx_default_town = str_replace('"', '', $cmtx_default_town); $cmtx_default_country = str_replace('"', '', $cmtx_default_country); $cmtx_default_rating = str_replace('"', '', $cmtx_default_rating); //remove invalid characters $cmtx_default_name = preg_replace('/[^\\p{L}&\\-\'. 0-9]/u', '', $cmtx_default_name); // \p{L} (any kind of letter from any language) $cmtx_default_email = filter_var($cmtx_default_email, FILTER_SANITIZE_EMAIL); $cmtx_default_website = cmtx_url_encode_spaces($cmtx_default_website); $cmtx_default_website = filter_var($cmtx_default_website, FILTER_SANITIZE_URL); $cmtx_default_town = preg_replace('/[^\\p{L}&\\-\'. ]/u', '', $cmtx_default_town); $cmtx_default_country = preg_replace('/[^\\p{L}&\\-\'. ]/u', '', $cmtx_default_country); $cmtx_default_rating = preg_replace('/[^1-5]/', '', $cmtx_default_rating); //convert to HTML entities $cmtx_default_name = cmtx_sanitize($cmtx_default_name, true, false); $cmtx_default_email = cmtx_sanitize($cmtx_default_email, true, false); $cmtx_default_website = cmtx_sanitize($cmtx_default_website, true, false); $cmtx_default_town = cmtx_sanitize($cmtx_default_town, true, false); $cmtx_default_country = cmtx_sanitize($cmtx_default_country, true, false); $cmtx_default_rating = cmtx_sanitize($cmtx_default_rating, true, false); $cmtx_default_comment = cmtx_sanitize($cmtx_default_comment, true, false); }
echo '<span class="negative">' . CMTX_RESET_LIMIT . '</span><p />'; } else { $resets++; cmtx_db_query("UPDATE `" . $cmtx_mysql_table_prefix . "admins` SET `resets` = '{$resets}' WHERE `email` = '{$email}'"); $username = $admin_result['username']; $password = cmtx_get_random_key(10); if (file_exists($cmtx_path . 'includes/emails/' . cmtx_setting('language_frontend') . '/admin/custom/reset_password.txt')) { $reset_password_email_file = $cmtx_path . 'includes/emails/' . cmtx_setting('language_frontend') . '/admin/custom/reset_password.txt'; //build path to custom reset password email file } else { $reset_password_email_file = $cmtx_path . 'includes/emails/' . cmtx_setting('language_frontend') . '/admin/reset_password.txt'; //build path to reset password email file } $body = file_get_contents($reset_password_email_file); //get the file's contents $admin_link = cmtx_url_encode_spaces(cmtx_setting('commentics_url') . cmtx_setting('admin_folder')) . '/'; //build admin panel link //convert email variables with actual variables $body = str_ireplace('[username]', $username, $body); $body = str_ireplace('[password]', $password, $body); $body = str_ireplace('[admin link]', $admin_link, $body); $body = str_ireplace('[signature]', cmtx_setting('signature'), $body); //send email cmtx_email($email, null, cmtx_setting('admin_reset_password_subject'), $body, cmtx_setting('admin_reset_password_from_email'), cmtx_setting('admin_reset_password_from_name'), cmtx_setting('admin_reset_password_reply_to')); $password = md5($password); $password = cmtx_sanitize($password); cmtx_db_query("UPDATE `" . $cmtx_mysql_table_prefix . "admins` SET `password` = '{$password}' WHERE `email` = '{$email}'"); echo '<span class="positive">' . CMTX_RESET_SENT . '</span>'; } } else { echo '<span class="negative">' . CMTX_RESET_ADDR . '</span>';
//set it with login website } if (cmtx_setting('enabled_website')) { //if website field is enabled $cmtx_website = trim($_POST['cmtx_website']); //remove any space at beginning and end if (cmtx_setting('required_website') && (empty($cmtx_website) || $cmtx_website == "http://")) { //if field is required but value is empty cmtx_error(CMTX_ERROR_MESSAGE_NO_WEBSITE); //reject user for entering no website address } else { if (!empty($cmtx_website) && $cmtx_website != "http://") { //if a website address is entered cmtx_is_injected($cmtx_website); //check for injection attempt $cmtx_website = cmtx_url_encode_spaces($cmtx_website); //encode spaces cmtx_validate_website($cmtx_website); //validate website if (cmtx_setting('approve_websites')) { //if entering a website address requires approval cmtx_approve(CMTX_APPROVE_REASON_WEBSITE_ENTERED); //approve user for entering website } if (cmtx_setting('reserved_websites_enabled') && !$cmtx_is_admin) { $cmtx_website = cmtx_check_for_word("reserved_websites", false, $cmtx_website, cmtx_setting('reserved_websites_action'), CMTX_APPROVE_REASON_RESERVED_WEBSITE, CMTX_ERROR_MESSAGE_RESERVED_WEBSITE, CMTX_BAN_REASON_RESERVED_WEBSITE); } if (cmtx_setting('dummy_websites_enabled')) { $cmtx_website = cmtx_check_for_word("dummy_websites", false, $cmtx_website, cmtx_setting('dummy_websites_action'), CMTX_APPROVE_REASON_DUMMY_WEBSITE, CMTX_ERROR_MESSAGE_DUMMY_WEBSITE, CMTX_BAN_REASON_DUMMY_WEBSITE); } if (cmtx_setting('banned_websites_as_website_enabled')) {
function cmtx_get_page_details() { //get page details global $cmtx_identifier, $cmtx_reference, $cmtx_url, $cmtx_parameters; //globalise variables //get URL $url = cmtx_url_decode(cmtx_current_page()); //remove URL parameters if configured if (isset($cmtx_parameters)) { if (empty($cmtx_parameters) || $cmtx_parameters == 'none') { $url = strtok($url, '?'); } else { $queries = explode(',', $cmtx_parameters); $query_string = ''; foreach ($queries as $query) { if (isset($_GET[$query])) { $query_string .= $query . '=' . $_GET[$query] . '&'; } else { die; } } if (preg_match('/[&$]/i', $query_string)) { //if query ends in & $query_string = substr($query_string, 0, -1); //remove & } $url = strtok($url, '?'); $url .= '?' . $query_string; } } //ensure reference is set if (!isset($cmtx_reference)) { $cmtx_reference = ''; } //get title/heading if (stristr($cmtx_identifier, 'cmtx_title') || stristr($cmtx_reference, 'cmtx_title') || stristr($cmtx_identifier, 'cmtx_h1') || stristr($cmtx_reference, 'cmtx_h1')) { @ini_set('user_agent', 'Commentics'); //set user-agent $path = cmtx_url_encode($url); if (extension_loaded('curl')) { //if cURL is available $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, false); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_MAXREDIRS, 5); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($ch, CURLOPT_TIMEOUT, 10); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_USERAGENT, 'Commentics'); curl_setopt($ch, CURLOPT_URL, $path); $file = curl_exec($ch); curl_close($ch); } else { if ((bool) ini_get('allow_url_fopen')) { //if allow_url_fopen is available $file = file_get_contents($path); } } if (isset($file) && !empty($file)) { if (stristr($cmtx_identifier, 'cmtx_title') || stristr($cmtx_reference, 'cmtx_title')) { if (preg_match('/<title>(.+?)<\\/title>/i', $file, $match)) { $cmtx_identifier = str_ireplace('cmtx_title', $match[1], $cmtx_identifier); $cmtx_reference = str_ireplace('cmtx_title', $match[1], $cmtx_reference); } else { $cmtx_identifier = str_ireplace('cmtx_title', 'Title tag not found', $cmtx_identifier); $cmtx_reference = str_ireplace('cmtx_title', 'Title tag not found', $cmtx_reference); } } if (stristr($cmtx_identifier, 'cmtx_h1') || stristr($cmtx_reference, 'cmtx_h1')) { if (preg_match('/<h1>(.+?)<\\/h1>/i', $file, $match)) { $cmtx_identifier = str_ireplace('cmtx_h1', $match[1], $cmtx_identifier); $cmtx_reference = str_ireplace('cmtx_h1', $match[1], $cmtx_reference); } else { $cmtx_identifier = str_ireplace('cmtx_h1', 'H1 tag not found', $cmtx_identifier); $cmtx_reference = str_ireplace('cmtx_h1', 'H1 tag not found', $cmtx_reference); } } } else { $cmtx_identifier = str_ireplace('cmtx_title', 'Server incapable', $cmtx_identifier); $cmtx_reference = str_ireplace('cmtx_title', 'Server incapable', $cmtx_reference); $cmtx_identifier = str_ireplace('cmtx_h1', 'Server incapable', $cmtx_identifier); $cmtx_reference = str_ireplace('cmtx_h1', 'Server incapable', $cmtx_reference); } } //get page filename if (stristr($cmtx_identifier, 'cmtx_filename') || stristr($cmtx_reference, 'cmtx_filename')) { if (isset($_SERVER['SCRIPT_NAME'])) { $cmtx_identifier = str_ireplace('cmtx_filename', $_SERVER['SCRIPT_NAME'], $cmtx_identifier); $cmtx_reference = str_ireplace('cmtx_filename', basename($_SERVER['SCRIPT_NAME']), $cmtx_reference); } else { $cmtx_identifier = str_ireplace('cmtx_filename', 'Server incapable', $cmtx_identifier); $cmtx_reference = str_ireplace('cmtx_filename', 'Server incapable', $cmtx_reference); } } //set identifier as reference if (stristr($cmtx_identifier, 'cmtx_reference')) { $cmtx_identifier = str_ireplace('cmtx_reference', $cmtx_reference, $cmtx_identifier); } //set reference as identifier if (stristr($cmtx_reference, 'cmtx_identifier')) { $cmtx_reference = str_ireplace('cmtx_identifier', $cmtx_identifier, $cmtx_reference); } //set reference as URL if (stristr($cmtx_reference, 'cmtx_url')) { $cmtx_reference = str_ireplace('cmtx_url', $cmtx_url, $cmtx_reference); } //set identifier as URL if (stristr($cmtx_identifier, 'cmtx_url')) { $cmtx_temp = $url; $cmtx_temp = str_ireplace('www.', '', $cmtx_temp); //remove 'www.' if there $cmtx_temp = str_ireplace('index.php', '', $cmtx_temp); //remove 'index.php' if there $cmtx_temp = str_ireplace('index.htm', '', $cmtx_temp); //remove 'index.htm' if there $cmtx_temp = str_ireplace('index.html', '', $cmtx_temp); //remove 'index.html' if there $cmtx_temp = str_ireplace('index.shtml', '', $cmtx_temp); //remove 'index.shtml' if there $cmtx_temp = str_ireplace('https://', 'http://', $cmtx_temp); //remove SSL if there $cmtx_temp = preg_replace('/&cmtx_page=[0-9]*/', '', $cmtx_temp); //remove cmtx_page=x if there (1) $cmtx_temp = preg_replace('/cmtx_page=[0-9]*&/', '', $cmtx_temp); //remove cmtx_page=x if there (2) $cmtx_temp = preg_replace('/cmtx_page=[0-9]*/', '', $cmtx_temp); //remove cmtx_page=x if there (3) $cmtx_temp = preg_replace('/&cmtx_sort=[0-9]*/', '', $cmtx_temp); //remove cmtx_sort=x if there (1) $cmtx_temp = preg_replace('/cmtx_sort=[0-9]*&/', '', $cmtx_temp); //remove cmtx_sort=x if there (2) $cmtx_temp = preg_replace('/cmtx_sort=[0-9]*/', '', $cmtx_temp); //remove cmtx_sort=x if there (3) $cmtx_temp = preg_replace('/&cmtx_perm=[0-9]*/', '', $cmtx_temp); //remove cmtx_perm=x if there (1) $cmtx_temp = preg_replace('/cmtx_perm=[0-9]*&/', '', $cmtx_temp); //remove cmtx_perm=x if there (2) $cmtx_temp = preg_replace('/cmtx_perm=[0-9]*/', '', $cmtx_temp); //remove cmtx_perm=x if there (3) $cmtx_temp = strtolower($cmtx_temp); //convert to lowercase $cmtx_identifier = str_ireplace('cmtx_url', $cmtx_temp, $cmtx_identifier); } //get URL $cmtx_url = cmtx_url_decode(cmtx_current_page()); if (cmtx_setting('lower_pages')) { $cmtx_url = strtolower($cmtx_url); } $cmtx_url = cmtx_url_encode_spaces($cmtx_url); //encode spaces }
function cmtx_image_1(array $matches) { $image_styling = 'max-width:508px; height:auto;'; $matches[1] = cmtx_url_encode_spaces($matches[1]); if (filter_var($matches[1], FILTER_VALIDATE_URL)) { return '<img src="' . $matches[1] . '" style="' . $image_styling . '"/>'; } else { cmtx_error(CMTX_ERROR_MESSAGE_BB_INVALID_IMAGE); return; } }
} else { echo $cmtx_average_rating . '/5 (' . cmtx_number_of_ratings() . ')</span>'; } } echo '</div>'; /* *** Pagination (Top) *** */ echo '<div class="cmtx_pagination_block_top">'; if (cmtx_setting('enabled_pagination') && cmtx_setting('show_pagination_top') && $cmtx_total_pages > 1) { cmtx_paginate($cmtx_current_page, cmtx_setting('range_of_pages'), $cmtx_total_pages); } echo '</div>'; /* *** Social *** */ echo '<div class="cmtx_social_block">'; if (cmtx_setting('show_social')) { $cmtx_social_url = cmtx_url_encode_spaces(cmtx_get_page_url()); $cmtx_social_title = cmtx_url_encode_spaces(cmtx_get_page_reference()); $cmtx_social_url = str_ireplace('&', '%26', $cmtx_social_url); //convert & to %26 $cmtx_social_title = str_ireplace('&', '%26', $cmtx_social_title); //convert & to %26 $cmtx_social_attribute = ''; //initialize variable if (cmtx_setting('social_new_window')) { $cmtx_social_attribute = ' target="_blank"'; } echo '<div class="cmtx_social_images">'; if (cmtx_setting('show_social_facebook')) { echo '<a href="http://www.facebook.com/sharer.php?u=' . $cmtx_social_url . '&t=' . $cmtx_social_title . '" rel="nofollow"' . $cmtx_social_attribute . '><img src="' . cmtx_commentics_url() . 'images/social/facebook.png" class="cmtx_social_image" title="Facebook" alt="Facebook"/></a>'; } if (cmtx_setting('show_social_delicious')) { echo '<a href="http://delicious.com/post?url=' . $cmtx_social_url . '&title=' . $cmtx_social_title . '" rel="nofollow"' . $cmtx_social_attribute . '><img src="' . cmtx_commentics_url() . 'images/social/delicious.png" class="cmtx_social_image" title="del.icio.us" alt="del.icio.us"/></a>';
?> </div> <div style="clear: left;"></div> <?php } else { if (isset($_POST['submit'])) { cmtx_check_csrf_form_key(); $id = $_GET['id']; $identifier = $_POST['identifier']; $reference = $_POST['reference']; $url = $_POST['url']; $form_enabled = $_POST['form_enabled']; $id_san = cmtx_sanitize($id); $identifier_san = cmtx_sanitize($identifier); $reference_san = cmtx_sanitize($reference); $url_san = cmtx_url_encode_spaces($url); $url_san = cmtx_sanitize($url_san); $form_enabled_san = cmtx_sanitize($form_enabled); if (!empty($identifier) && cmtx_db_num_rows(cmtx_db_query("SELECT * FROM `" . $cmtx_mysql_table_prefix . "pages` WHERE `identifier` = '{$identifier_san}' AND `id` != '{$id_san}'"))) { ?> <div class="error"><?php echo CMTX_MSG_IDENTIFIER_EXISTS; ?> </div> <div style="clear: left;"></div> <?php } else { cmtx_db_query("UPDATE `" . $cmtx_mysql_table_prefix . "pages` SET `identifier` = '{$identifier_san}' WHERE `id` = '{$id_san}'"); cmtx_db_query("UPDATE `" . $cmtx_mysql_table_prefix . "pages` SET `reference` = '{$reference_san}' WHERE `id` = '{$id_san}'"); cmtx_db_query("UPDATE `" . $cmtx_mysql_table_prefix . "pages` SET `url` = '{$url_san}' WHERE `id` = '{$id_san}'"); cmtx_db_query("UPDATE `" . $cmtx_mysql_table_prefix . "pages` SET `is_form_enabled` = '{$form_enabled_san}' WHERE `id` = '{$id_san}'");
function cmtx_notify_subscribers_admin($poster, $comment, $page_id, $comment_id) { //notify subscribers of admin comment global $cmtx_mysql_table_prefix, $cmtx_parent_emails; //globalise variables $page_id = cmtx_sanitize($page_id); $comment_id = cmtx_sanitize($comment_id); //select confirmed subscribers from database $subscribers = cmtx_db_query("SELECT * FROM `" . $cmtx_mysql_table_prefix . "subscribers` WHERE `page_id` = '{$page_id}' AND `is_confirmed` = '1'"); $page_query = cmtx_db_query("SELECT * FROM `" . $cmtx_mysql_table_prefix . "pages` WHERE `id` = '{$page_id}'"); $page_result = cmtx_db_fetch_assoc($page_query); $page_reference = cmtx_decode($page_result['reference']); $page_url = cmtx_decode($page_result['url']); $comment_url = cmtx_decode(cmtx_get_permalink($comment_id, $page_result['url'])); //get the permalink of the comment if (file_exists('../includes/emails/' . cmtx_setting('language_frontend') . '/user/custom/subscriber_notification_admin.txt')) { $subscriber_notification_admin_email_file = '../includes/emails/' . cmtx_setting('language_frontend') . '/user/custom/subscriber_notification_admin.txt'; //build path to custom subscriber notification admin email file } else { $subscriber_notification_admin_email_file = '../includes/emails/' . cmtx_setting('language_frontend') . '/user/subscriber_notification_admin.txt'; //build path to subscriber notification admin email file } $poster = cmtx_prepare_name_for_email($poster); //prepare name for email $comment = cmtx_prepare_comment_for_email($comment); //prepare comment for email $count = 0; //count how many emails are sent while ($subscriber = cmtx_db_fetch_assoc($subscribers)) { //while there are subscribers if (!in_array($subscriber['email'], $cmtx_parent_emails)) { $body = file_get_contents($subscriber_notification_admin_email_file); //get the file's contents $email = $subscriber['email']; $name = cmtx_prepare_name_for_email($subscriber['name']); //prepare name for email $token = $subscriber['token']; $subscription_link = cmtx_url_encode_spaces(cmtx_setting('commentics_url')) . 'subscribers.php' . '?id=' . $token; //build subscription link //convert email variables with actual variables $body = str_ireplace('[name]', $name, $body); $body = str_ireplace('[page reference]', $page_reference, $body); $body = str_ireplace('[page url]', $page_url, $body); $body = str_ireplace('[comment url]', $comment_url, $body); $body = str_ireplace('[poster]', $poster, $body); $body = str_ireplace('[comment]', $comment, $body); $body = str_ireplace('[signature]', cmtx_setting('signature'), $body); $body = str_ireplace('[subscription link]', $subscription_link, $body); //send email cmtx_email($email, $name, cmtx_setting('subscriber_notification_admin_subject'), $body, cmtx_setting('subscriber_notification_admin_from_email'), cmtx_setting('subscriber_notification_admin_from_name'), cmtx_setting('subscriber_notification_admin_reply_to')); $count++; //increment email counter } } cmtx_db_query("UPDATE `" . $cmtx_mysql_table_prefix . "comments` SET `is_sent` = '1' WHERE `id` = '{$comment_id}'"); //mark comment as sent cmtx_db_query("UPDATE `" . $cmtx_mysql_table_prefix . "comments` SET `sent_to` = `sent_to` + '{$count}' WHERE `id` = '{$comment_id}'"); //set how many were sent (if any) }