/** * Prepares a comment to be saved * * @static */ function prepare($comment) { $comment['user'] = strip_tags($comment['user']); $comment['userid'] = strip_tags($comment['userid']); $comment['email'] = strip_tags($comment['email']); // remove newlines from user; remove quotes and newlines from userid and email; trim whitespace from beginning and end $comment['user'] = trim(strtr($comment['user'], "\n", ' ')); $comment['userid'] = trim(strtr($comment['userid'], "\\'\"\n", '-- ')); $comment['email'] = trim(strtr($comment['email'], "\\'\"\n", '-- ')); // begin if: a comment userid is supplied, but does not have an "http://" or "https://" at the beginning - prepend an "http://" if (!empty($comment['userid']) && strpos($comment['userid'], 'http://') !== 0 && strpos($comment['userid'], 'https://') !== 0) { $comment['userid'] = 'http://' . $comment['userid']; } // end if $comment['body'] = COMMENT::prepareBody($comment['body']); return $comment; }
/** * @todo document this */ function action_commentupdate() { global $member, $manager; $commentid = intRequestVar('commentid'); $member->canAlterComment($commentid) or $this->disallow(); $url = postVar('url'); $email = postVar('email'); $body = postVar('body'); # replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0 # original eregi: eregi("[a-zA-Z0-9|\.,;:!\?=\/\\]{90,90}", $body) != FALSE # important note that '\' must be matched with '\\\\' in preg* expressions // intercept words that are too long if (preg_match('#[a-zA-Z0-9|\\.,;:!\\?=\\/\\\\]{90,90}#', $body) != FALSE) { $this->error(_ERROR_COMMENT_LONGWORD); } // check length if (strlen($body) < 3) { $this->error(_ERROR_COMMENT_NOCOMMENT); } if (strlen($body) > 5000) { $this->error(_ERROR_COMMENT_TOOLONG); } // prepare body $body = COMMENT::prepareBody($body); // call plugins $manager->notify('PreUpdateComment', array('body' => &$body)); $query = 'UPDATE ' . sql_table('comment') . " SET cmail = '" . sql_real_escape_string($url) . "', cemail = '" . sql_real_escape_string($email) . "', cbody = '" . sql_real_escape_string($body) . "'" . " WHERE cnumber=" . $commentid; sql_query($query); // get itemid $res = sql_query('SELECT citem FROM ' . sql_table('comment') . ' WHERE cnumber=' . $commentid); $o = sql_fetch_object($res); $itemid = $o->citem; if ($member->canAlterItem($itemid)) { $this->action_itemcommentlist($itemid); } else { $this->action_browseowncomments(); } }