/
review.php
74 lines (53 loc) · 1.29 KB
/
review.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
<?php session_start();?>
<?php
$reviewtext = $_POST["flag1"];
$category = 0;
$rating = $_POST["flag2"];
$productid = $_POST["flag3"];
if($comment="") $comment = "NULL";
include "db.php";
function checkintruder($query)
{
if (preg_match('/[\'}{@#~?><>/', $query))
{
return false;
}
else
{
return true;
}
}
$timestamp = time();
$username = $_SESSION['username'];
$reviewid = $productid.'_review_'.$timestamp;
$count =0;
$query = "select reviewid from reviewdb where ( productid = '$productid' and username = '$username') ";
$results = mysqli_query($con, $query);
while($row = mysqli_fetch_array($results))
{
$count++;
$reviewid = $row['reviewid'];
}
if(checkintruder($reviewtext))
{
if($count==0)
{
$query = "insert into reviewdb values ('$reviewid', '$productid', '$username', '$rating' , '$reviewtext', '$timestamp') ";
$results = mysqli_query($con, $query);
}
else
{
if($reviewtext!="") $query = "update reviewdb set rating = '$rating' , reviewtext = '$reviewtext', timestamp = '$timestamp' where reviewid = '$reviewid' ";
else $query = "update reviewdb set rating = '$rating' , timestamp = '$timestamp' where reviewid = '$reviewid' ";
$results = mysqli_query($con, $query);
}
}
else
{
//not allowed on sql
}
/*
header('content-type: application/json');
echo json_encode($rs);
*/
?>