function ticket_comment_add($issue, $content, $return, $type = '')
{
// blargh
global $client;
// safety first
$content = escape_smart($content);
$type = escape_smart($type);
// tracking
$success = true;
$message = '';
// we CAN post here, right?
if ($client['is_logged']) {
// yeah, like we're going to post a blank message...
if (!hascharacters($content)) {
$success = false;
$message = 'You didn\'t put in any content to post.';
} else {
// want to set a custom type?
$typecolumn = '';
$typevalue = '';
if ($type != '') {
$typecolumn = ",type";
$typevalue = ",'{$type}'";
}
// and we're off!
if (db_query("INSERT INTO comments (author,issue,content,when_posted{$typecolumn}) VALUES ({$_SESSION['uid']},'{$issue}','{$content}',NOW(){$typevalue})")) {
if (!db_query("UPDATE issues SET num_comments=num_comments+1, when_updated=NOW() WHERE id='{$issue}'")) {
$success = false;
$message = 'Comment inserted successfully, however the comment count could not be updated.';
}
} else {
$success = false;
$message = 'Could not insert the comment.';
}
}
} else {
$success = false;
$message = 'You do not have sufficient privileges to post the comment.';
}
// and our work here is done!
switch ($return) {
case 'json':
return array('success' => $success, 'message' => $message);
break;
case 'success':
default:
global $commenterr;
$commenterr = $message;
return $success;
break;
}
}
public function is_user($username, $password, $passwordishash = false)
{
// Sanity
$username2 = escape_smart($username);
// It am be query time??
$result = db_query("SELECT * FROM users WHERE username = '******'", 'Checking whether a given username/password matches a user') or die(mysql_error());
// Variables for the checking
$hit = 0;
$gotone = false;
$salt = '';
$isuser = false;
while ($row = mysql_fetch_array($result)) {
$salt = $row['password_salt'];
$uid = $row['id'];
if (!$gotone) {
$gotone = true;
// We got a match for the username
if ($username == $row['username']) {
$hit = 2;
}
// The password we need to check against needs to be generated
$supposedpass = $passwordishash ? $password : $this->generate_password($salt, $password);
if ($supposedpass == $row['password']) {
if ($hit == 2) {
$hit = 1;
// We got a match for everything!
} else {
$hit = 3;
// We only got a match for the password...
}
}
} else {
$hit = -1;
// For some reason more than one user has this username
}
}
if ($hit === 1) {
return array('salt' => $salt, 'uid' => $uid);
// This should *always* equate to true
} else {
return false;
}
}
// We need to be logged in for this, of course
if (!$users->client->is_logged) {
echo 'You are not logged in.';
} else {
// Have we got some input? Looks like we should handle it!
if (isset($_POST['submit'])) {
$title = escape_smart(htmlentities($_POST['title']));
$description = escape_smart(htmlentities($_POST['description']));
$severity = escape_smart($_POST['severity']);
// Error arrays
$error = false;
$errors_title = array();
$errors_tags = array();
$errors_description = array();
// Sanitise the tags string [TODO: use the separate table for tags instead of one long string]
$tags = escape_smart(htmlentities($_POST['tags']));
// Remove excessive whitespace, first on the sides, and then double/triple/quadruple/etc spaces
$tags = trim($tags);
while (strstr($tags, ' ')) {
$tags = str_replace(' ', ' ', $tags);
}
// Split the tags into a nice array and get a proper count of how many tags there are
$tagsarr = explode(' ', $tags);
sort($tagsarr);
$tagsc = empty($tags) ? 0 : count($tagsarr);
// We need to explicitly set to 0 if there's no items because of how explode works
// Have we gone over the tag limit?
if ($tagsc > 5) {
$error = true;
$errors_tags[] = 'You may only provide up to 5 tags.';
}
rename($from, $to);
} catch (Exception $e) {
$success = false;
}
// message
if ($success) {
$message = $txt['files_info_success'];
} else {
$message = $txt['files_info_failure'];
}
echo json_encode(array('success' => $success, 'message' => $message));
break;
case 'delete':
header('Content-type: application/json');
// info goes in
$filename = escape_smart($_POST['filename']);
// success tracking
$success = true;
// delete the file
try {
unlink($filedir . '/' . $filename);
} catch (Exception $e) {
$success = false;
}
// message
if ($success) {
$message = $txt['files_del_success'];
} else {
$message = $txt['files_del_failure'];
}
echo json_encode(array('success' => $success, 'message' => $message));
}
// error check: password too short
if (strlen($_POST['pwd']) < 5) {
$errors_pwd[] = 'Your desired password is too short, please create a longer password.';
$error = true;
}
// error check: invalid email
if (!is_email($_POST['emal'])) {
$errors_email[] = 'The email you provided cannot be a valid one, please check it.';
}
// no errors! whew
if (!$error) {
$u = escape_smart($_POST['uname']);
$s = md5(rand(0, 9001));
$p = $users->generate_password($s, $_POST['pwd']);
$e = escape_smart($_POST['emal']);
$query = db_query("INSERT INTO users (username,password,password_salt,when_registered,email,avatar_type,avatar_location)" . "VALUES ('{$u}','{$p}','{$s}',NOW(),'{$e}',1,'img/defaultava.png')");
echo '
You have been successfully registered!
<br />
<br />
<a href="user_login.php">Login</a>';
}
}
if ($error || !isset($_POST['subregister'])) {
echo '
<div class="alert" style="width: 768px;">
<img src="img/alert/exclaim.png" alt="" />
<b>As you\'re filling the form out, make sure:</b>
<br />
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* Under section 7b of the GNU General Public License you are
* required to preserve this notice. Additional attribution may be
* found in the NOTICES.txt file provided with the Program.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
if (isset($_POST['submit'])) {
$error = false;
$sitename = escape_smart($_POST['sitename']);
$theme = escape_smart($_POST['theme']);
$gzip = $_POST['gzip'] == 'on' ? 1 : 0;
$stripwhitespace = $_POST['stripwhitespace'] == 'on' ? 1 : 0;
// invalid theme?
if (!file_exists("sp-content/themes/{$theme}")) {
$error = true;
$errors_theme[] = 'The theme id you provided does not exist on your server.';
}
// no errors?
if (!$error) {
// Alright, let's do this!
$success = true;
// A new site name!
if ($sitename != $config['sitename']) {
db_query("REPLACE INTO config(name, value) VALUES ('sitename', '{$sitename}')", 'Updating the site name') or $success = false;
}
} else {
mysql_error();
}
break;
case 'rename':
echo '<h3>Renaming tag</h3>';
$n = escape_smart($_POST['str']);
$i = escape_smart($_GET['id']);
$query = db_query("UPDATE tags set name='{$n}' WHERE id='{$i}'");
if ($query) {
echo 'Renamed succesfully!';
} else {
mysql_error();
}
break;
case 'delete':
echo '<h3>Delete tag</h3>';
$i = escape_smart($_GET['id']);
$query = db_query("DELETE FROM tags WHERE id='{$i}'");
if ($query) {
echo 'Deleted succesfully!';
} else {
mysql_error();
}
break;
default:
echo 'What?';
break;
}
echo '<br /><br /><a href="' . $uri2 . '">Go back</a>';
}
$ts = escape_smart($_POST['title_short']);
// rename time!
$success = true;
mysql_query("UPDATE pages SET page_title_full = '{$tf}', page_title_menu = '{$ts}' WHERE page_id = {$id}") or $success = false;
// message
if ($success) {
$message = $txt['pages_info_success'];
} else {
$message = $txt['pages_info_failure'];
}
echo json_encode(array('success' => $success, 'message' => $message));
break;
case 'delete':
header('Content-type: application/json');
// info goes in
$pid = escape_smart($_POST['page_id']);
// delete the page
$success = true;
mysql_query("DELETE FROM pages WHERE page_id = {$pid}") or $success = false;
// message
if ($success) {
$message = $txt['pages_del_success'];
} else {
$message = $txt['pages_del_failure'];
}
echo json_encode(array('success' => $success, 'message' => $message));
break;
case 'reorder':
header('Content-type: application/json');
// info goes in
$n = $_POST['nodes'];
<label for="avatar-gravatar">
<img src="http://www.gravatar.com/avatar/' . md5($users->client->info['email']) . '?d=identicon&s=32" alt="" />
<img src="http://www.gravatar.com/avatar/' . md5($users->client->info['email']) . '?d=identicon&s=16" alt="" />
Gravatar
</label>
<a href="http://gravatar.com/" tabindex="4">(change)</a>
</p>
<p>
<input type="submit" value="Save" disabled />
</p>
</form>';
break;
case 'login':
if (isset($_POST['submit'])) {
$error = false;
$email = escape_smart($_POST['email']);
$password = $_POST['password'];
// change the email?
if ($email != $users->client->info['email']) {
if (!is_email($email)) {
$errors_email[] = 'The email you provided cannot be a valid one, please check it.';
$error = true;
}
} else {
$email = '';
}
// change the show email switch?
$showemail = strtolower($_POST['email-show']) == 'on' ? 1 : 0;
if ($showemail != $users->client->info['email_show']) {
$showemail_changed = true;
}
echo 'That ticket doesn\'t exist! If you accessed this page through a link, please contact the person who posted it and inform them that the link is invalid.';
} else {
$issue = mysql_fetch_array($result_issues);
$page->setTitle($issue['name']);
// do we have a comment to post?
if (isset($_POST['submit'])) {
$error = false;
$errors = array();
// safety first
$comment = escape_smart($_POST['comment']);
$status = escape_smart($_POST['status']);
$assign = escape_smart($_POST['assign']);
$data = isset($_POST["misc"]) ? $_POST["misc"] : "";
$bn = basename(dirname($_SERVER[PHP_SELF]));
if ($status == 6) {
$misc = escape_smart("Duplicate Of=<a href='{$bn}/ticket.php?id={$data}'>{$data}</a>");
}
// TODO: make a method of adding these messages that don't involve permanently storing a name...
// has the status been changed?
if (is_numeric($status) && $status != $issue['status']) {
if (!db_query("UPDATE issues SET status = {$status}, misc='{$misc}' WHERE id = {$id} ")) {
$error = true;
$errors[] = 'The status of the ticket could not be changed. There may be a server error.';
} else {
$comment .= "\n\n" . '[b]*** Status changed to ' . getstatusnm($status) . ' ***[/b]';
$comment .= $misc != "" ? "\n\n[b]*** Received extra data: {$data} ***[/b]" : "";
}
}
// has the assigned user been changed?
if (is_numeric($assign) && $assign != $issue['assign']) {
if (!db_query("UPDATE issues SET assign = {$assign} WHERE id = {$id}")) {
