Esempio n. 1
 * article: saves a comment
 * @param   string $title    comment title
 * @param   string $comment  comment text
 * @param   string $id       Item id to which $cid belongs
 * @param   int    $pid      comment parent
 * @param   string $postmode 'html' or 'text'
 * @return  mixed   false for failure, HTML string (redirect?) for success
function plugin_savecomment_article($title, $comment, $id, $pid, $postmode)
    global $_CONF, $_TABLES, $LANG03, $_USER;
    $retval = '';
    $commentcode = DB_getItem($_TABLES['stories'], 'commentcode', "(sid = '{$id}') AND (draft_flag = 0) AND (date <= NOW())" . COM_getPermSQL('AND'));
    if (!isset($commentcode) || ($commentcode != 0 || TOPIC_hasMultiTopicAccess('article', $id) < 2)) {
        // Need read access of topics to post comment
        COM_redirect($_CONF['site_url'] . '/index.php');
    $ret = CMT_saveComment($title, $comment, $id, $pid, 'article', $postmode);
    if ($ret == -1) {
        $url = COM_buildUrl($_CONF['site_url'] . '/article.php?story=' . $id);
        $url .= (strpos($url, '?') ? '&' : '?') . 'msg=15';
    } elseif ($ret > 0) {
        // failure
        // FIXME: some failures should not return to comment form
        $retval .= CMT_commentForm($title, $comment, $id, $pid, 'article', $LANG03[14], $postmode);
        if (!defined('COMMENT_ON_SAME_PAGE')) {
            $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[1]));
        } else {
            if (!COMMENT_ON_SAME_PAGE) {
                $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[1]));
    } else {
        // success
        $comments = DB_count($_TABLES['comments'], array('type', 'sid'), array('article', $id));
        DB_change($_TABLES['stories'], 'comments', $comments, 'sid', $id);
        // Comment count in Older Stories block may have changed so delete cache
        $cacheInstance = 'olderarticles__';
        // remove all olderarticles instances
        COM_redirect(COM_buildUrl($_CONF['site_url'] . "/article.php?story={$id}"));
    return $retval;
Esempio n. 2
 * Handles a comment edit submission
 * @copyright Jared Wenerd 2008
 * @author Jared Wenerd, wenerd87 AT gmail DOT com
 * @param  string $mode 'edit' or 'editsubmission'
 * @return string HTML (possibly a refresh)
function handleEdit($mode)
    global $_TABLES, $LANG03;
    //get needed data
    $cid = COM_applyFilter($_REQUEST['cid']);
    if ($mode == 'editsubmission') {
        $table = $_TABLES['commentsubmissions'];
        $result = DB_query("SELECT type, sid FROM {$_TABLES['commentsubmissions']} WHERE cid = {$cid}");
        list($type, $sid) = DB_fetchArray($result);
    } else {
        $sid = COM_applyFilter($_REQUEST['sid']);
        $type = COM_applyFilter($_REQUEST['type']);
        $table = $_TABLES['comments'];
    //check for bad data
    if (!is_numeric($cid) || $cid < 0 || empty($sid) || empty($type)) {
        COM_errorLog("handleEdit(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit a comment with one or more missing/bad values.');
        return COM_refresh($_CONF['site_url'] . '/index.php');
    $result = DB_query("SELECT title,comment FROM {$table} " . "WHERE cid = {$cid} AND sid = '{$sid}' AND type = '{$type}'");
    if (DB_numRows($result) == 1) {
        $A = DB_fetchArray($result);
        $title = COM_stripslashes($A['title']);
        $commenttext = COM_stripslashes(COM_undoSpecialChars($A['comment']));
        //remove signature
        $pos = strpos($commenttext, '<!-- COMMENTSIG --><span class="comment-sig">');
        if ($pos > 0) {
            $commenttext = substr($commenttext, 0, $pos);
        //get format mode
        if (preg_match('/<.*>/', $commenttext) != 0) {
            $postmode = 'html';
        } else {
            $postmode = 'plaintext';
    } else {
        COM_errorLog("handleEdit(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit a comment that doesn\'t exist as described.');
        return COM_refresh($_CONF['site_url'] . '/index.php');
    return COM_siteHeader('menu', $LANG03[1]) . CMT_commentForm($title, $commenttext, $sid, $cid, $type, $mode, $postmode) . COM_siteFooter();
Esempio n. 3
 * Handles a comment edit submission
 * @copyright Jared Wenerd 2008
 * @author Jared Wenerd <wenerd87 AT gmail DOT com>
 * @return string HTML (possibly a refresh)
function handleEdit()
    global $_TABLES, $LANG03, $_USER, $_CONF, $_PLUGINS;
    if (isset($_POST['cid'])) {
        $cid = COM_applyFilter($_POST['cid'], true);
    } else {
        if (isset($_GET['cid'])) {
            $cid = COM_applyFilter($_GET['cid'], true);
        } else {
            $cid = -1;
    if (isset($_POST['sid'])) {
        $sid = COM_sanitizeID(COM_applyFilter($_POST['sid']));
    } else {
        if (isset($_GET['sid'])) {
            $sid = COM_sanitizeID(COM_applyFilter($_GET['sid']));
        } else {
            $sid = '';
    if (isset($_POST['type'])) {
        $type = COM_applyFilter($_POST['type']);
    } else {
        if (isset($_GET['type'])) {
            $type = COM_applyFilter($_GET['type']);
        } else {
            $type = '';
    if ($type != 'article') {
        if (!in_array($type, $_PLUGINS)) {
            $type = '';
    if (!is_numeric($cid) || $cid < 0 || empty($sid) || empty($type)) {
        COM_errorLog("handleEdit(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit a comment with one or more missing/bad values.');
        echo COM_refresh($_CONF['site_url'] . '/index.php');
    $result = DB_query("SELECT title,comment FROM {$_TABLES['comments']} " . "WHERE cid = " . (int) $cid . " AND sid = '" . DB_escapeString($sid) . "' AND type = '" . DB_escapeString($type) . "'");
    if (DB_numRows($result) == 1) {
        $A = DB_fetchArray($result);
        $title = $A['title'];
        $commenttext = COM_undoSpecialChars($A['comment']);
        //remove signature
        $pos = strpos($commenttext, '<!-- COMMENTSIG --><div class="comment-sig">');
        if ($pos > 0) {
            $commenttext = substr($commenttext, 0, $pos);
        //get format mode
        if (preg_match('/<.*>/', $commenttext) != 0) {
            $postmode = 'html';
        } else {
            $postmode = 'plaintext';
    } else {
        COM_errorLog("handleEdit(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit a comment that doesn\'t exist as described.');
        return COM_refresh($_CONF['site_url'] . '/index.php');
    $pid = isset($_REQUEST['pid']) ? COM_applyFilter($_REQUEST['pid'], true) : 0;
    return PLG_displayComment($type, $sid, 0, $title, '', 'nobar', 0, 0) . CMT_commentForm($title, $commenttext, $sid, $pid, $type, 'edit', $postmode);
Esempio n. 4
 * Handles comment processing
 * @param    string   $mode    Mode of comment processing
 * @param    string   $type    Type of item (article, polls, etc.)
 * @param    string   $title   Title of item
 * @param    string   $sid     ID for item to show comments for
 * @param    string   $format  'threaded', 'nested', or 'flat'
 * @return   string            HTML formated
function CMT_handleComment($mode = '', $type = '', $title = '', $sid = '', $format = '')
    global $_CONF, $_TABLES, $_USER, $LANG03, $LANG_ADMIN, $topic, $_PLUGINS;
    $commentmode = '';
    if (!empty($_REQUEST[CMT_MODE])) {
        $commentmode = COM_applyFilter($_REQUEST[CMT_MODE]);
    if (empty($mode)) {
        $mode = COM_applyFilter(COM_getArgument(CMT_MODE));
    if (empty($commentmode) && !empty($mode)) {
        $commentmode = $mode;
    if (empty($sid) && !empty($_REQUEST[CMT_SID])) {
        $sid = COM_applyFilter($_REQUEST[CMT_SID]);
    $pid = 0;
    if (!empty($_REQUEST[CMT_PID])) {
        $pid = COM_applyFilter($_REQUEST[CMT_PID], true);
    if (empty($type) && !empty($_REQUEST[CMT_TYPE])) {
        $type = COM_applyFilter($_REQUEST[CMT_TYPE]);
    if (!empty($_REQUEST['title'])) {
        $title = $_REQUEST['title'];
        // apply filters later in CMT_commentForm or CMT_saveComment
    if (!empty($_REQUEST[CMT_UID])) {
        $uid = COM_applyFilter($_REQUEST[CMT_UID]);
    } else {
        $uid = 1;
        if (!empty($_USER['uid'])) {
            $uid = $_USER['uid'];
    $postmode = $_CONF['postmode'];
    if (isset($_REQUEST['postmode'])) {
        $postmode = COM_applyFilter($_REQUEST['postmode']);
    $formtype = '';
    if (!empty($_REQUEST['formtype'])) {
        $formtype = COM_applyFilter($_REQUEST['formtype']);
    // Get comment id, may not be there...will handle in function
    $cid = 0;
    if (isset($_REQUEST[CMT_CID])) {
        $cid = COM_applyFilter($_REQUEST[CMT_CID], true);
    TOPIC_getTopic('comment', $cid);
    if (empty($format) && isset($_REQUEST['format'])) {
        $format = COM_applyFilter($_REQUEST['format']);
    if (!in_array($format, array('threaded', 'nested', 'flat', 'nocomment'))) {
        if (COM_isAnonUser()) {
            $format = $_CONF['comment_mode'];
        } else {
            $format = DB_getItem($_TABLES['usercomment'], 'commentmode', "uid = {$_USER['uid']}");
    $order = '';
    if (isset($_REQUEST['order'])) {
        $order = COM_applyFilter($_REQUEST['order']);
    $cpage = 1;
    if (!empty($_REQUEST['cpage'])) {
        $cpage = COM_applyFilter($_REQUEST['cpage'], true);
        if (empty($cpage)) {
            $cpage = 1;
    $is_comment_page = CMT_isCommentPage();
    $retval = '';
    if ($_CONF['show_comments_at_replying'] && $is_comment_page && !empty($sid) && !empty($type) && in_array($commentmode, array('', $LANG03[28], $LANG03[34], $LANG03[14], 'edit'))) {
        if ($commentmode == 'edit') {
            $cid = 0;
            if (isset($_REQUEST[CMT_CID])) {
                $cid = COM_applyFilter($_REQUEST[CMT_CID], true);
            if ($cid <= 0) {
                COM_errorLog("CMT_handleComment(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit a comment with one or more missing/bad values.');
                return COM_refresh($_CONF['site_url'] . '/index.php');
            $pid = $cid;
        if ($pid > 0 && empty($title)) {
            $atype = DB_escapeString($type);
            $title = DB_getItem($_TABLES['comments'], 'title', "(cid = {$pid}) AND (type = '{$atype}')");
        if (empty($title)) {
            $title = PLG_getItemInfo($type, $sid, 'title');
            $title = str_replace('$', '&#36;', $title);
            // CMT_userComments expects non-htmlspecial chars for title...
            $title = str_replace('&amp;', '&', $title);
            $title = str_replace('&quot;', '"', $title);
            $title = str_replace('&lt;', '<', $title);
            $title = str_replace('&gt;', '>', $title);
        $retval .= CMT_userComments($sid, $title, $type, $order, $format, $pid, $cpage, $pid > 0, false, 0);
    switch ($commentmode) {
        case $LANG03[28]:
            // Preview Changes (for edit)
        // Preview Changes (for edit)
        case $LANG03[34]:
            // Preview Submission changes (for edit)
        // Preview Submission changes (for edit)
        case $LANG03[14]:
            // Preview
            $retval .= CMT_commentForm($title, $_POST['comment'], $sid, $pid, $type, $commentmode, $postmode, $format, $order, $cpage);
            if ($is_comment_page) {
                $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[14]));
        case $LANG03[35]:
            // Submit Changes to Moderation table
        // Submit Changes to Moderation table
        case $LANG03[29]:
            // Submit Changes
            if (SEC_checkToken()) {
                $retval .= CMT_handleEditSubmit($commentmode);
            } else {
                echo COM_refresh($_CONF['site_url'] . '/index.php');
        case $LANG03[11]:
            // Submit comment
            $retval .= CMT_handleSubmit($title, $sid, $pid, $type, $postmode, $uid);
        case $LANG_ADMIN['delete']:
        case 'delete':
            // Delete comment
            if (SEC_checkToken()) {
                $retval .= CMT_handleDelete($sid, $type, $formtype);
            } else {
                echo COM_refresh($_CONF['site_url'] . '/index.php');
        case 'view':
            // View comment by $cid
            $retval .= CMT_handleView($format, $order, $cpage, true);
        case 'display':
            // View comment by $pid
            $retval .= CMT_handleView($format, $order, $cpage, false);
        case 'report':
            if ($is_comment_page) {
                $cid = 0;
                if (isset($_GET[CMT_CID])) {
                    $cid = COM_applyFilter($_GET[CMT_CID], true);
                $type = '';
                if (isset($_GET[CMT_TYPE])) {
                    $type = COM_applyFilter($_GET[CMT_TYPE]);
                if ($cid <= 0 || empty($type)) {
                    echo COM_refresh($_CONF['site_url'] . '/index.php');
                $retval .= CMT_reportAbusiveComment($cid, $type);
                $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[27]));
        case 'sendreport':
            if (SEC_checkToken()) {
                $cid = 0;
                if (isset($_POST[CMT_CID])) {
                    $cid = COM_applyFilter($_POST[CMT_CID], true);
                $type = '';
                if (isset($_POST[CMT_TYPE])) {
                    $type = COM_applyFilter($_POST[CMT_TYPE]);
                if ($cid <= 0 || empty($type)) {
                    echo COM_refresh($_CONF['site_url'] . '/index.php');
                $retval .= CMT_sendReport($cid, $type);
            } else {
                echo COM_refresh($_CONF['site_url'] . '/index.php');
        case 'editsubmission':
            if (!SEC_hasRights('comment.moderate')) {
                echo COM_refresh($_CONF['site_url'] . '/index.php');
            // deliberate fall-through
        // deliberate fall-through
        case 'edit':
            $retval .= CMT_handleEdit($commentmode, $postmode, $format, $order, $cpage);
            if ($is_comment_page) {
                $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[1]));
        case 'unsubscribe':
            $cid = 0;
            $key = COM_applyFilter($_GET['key']);
            if (!empty($key)) {
                $key = DB_escapeString($key);
                $cid = DB_getItem($_TABLES['commentnotifications'], 'cid', "deletehash = '{$key}'");
                if (!empty($cid)) {
                    $redirecturl = $_CONF['site_url'] . '/comment.php?mode=view&amp;cid=' . $cid . '&amp;format=nested&amp;msg=16';
                    DB_delete($_TABLES['commentnotifications'], 'deletehash', $key, $redirecturl);
            echo COM_refresh($_CONF['site_url'] . '/index.php');
        case $LANG_ADMIN['cancel']:
            if ($formtype == 'editsubmission') {
                echo COM_refresh($_CONF['site_admin_url'] . '/moderation.php');
            } else {
                $retval .= CMT_handleCancel();
                // moved to function for readibility
            // New Comment or Reply Comment
            $abort = false;
            // Check to make sure comment type exists
            if ($type != 'article' && !in_array($type, $_PLUGINS)) {
                $abort = true;
            // Check article permissions
            if (!$abort && $type == 'article' && !empty($sid)) {
                $dbTitle = DB_getItem($_TABLES['stories'], 'title', "(sid = '{$sid}') AND (draft_flag = 0) AND (date <= NOW()) AND (commentcode = 0)" . COM_getPermSQL('AND'));
                // if ($dbTitle === null || TOPIC_hasMultiTopicAccess('article', $sid) < 2) { // Make sure have at least read access to topics to post comment
                if ($dbTitle === null || TOPIC_hasMultiTopicAccess('article', $sid, $topic) < 2) {
                    // Make sure have at least read access to current topic of article to post comment
                    // no permissions, or no story of that title
                    $abort = true;
            if (!$abort && !empty($sid) && !empty($type)) {
                if ($pid > 0 && empty($title)) {
                    $atype = DB_escapeString($type);
                    $title = DB_getItem($_TABLES['comments'], 'title', "(cid = {$pid}) AND (type = '{$atype}')");
                if (empty($title)) {
                    $title = PLG_getItemInfo($type, $sid, 'title');
                    // Check title, if for some reason blank assume no access allowed to plugin item (therefore cannot add comment) so return to homepage
                    if (is_array($title) || empty($title) || $title == false) {
                        echo COM_refresh($_CONF['site_url'] . '/index.php');
                    $title = str_replace('$', '&#36;', $title);
                    // CMT_commentForm expects non-htmlspecial chars for title...
                    $title = str_replace('&amp;', '&', $title);
                    $title = str_replace('&quot;', '"', $title);
                    $title = str_replace('&lt;', '<', $title);
                    $title = str_replace('&gt;', '>', $title);
                $retval .= CMT_commentForm($title, '', $sid, $pid, $type, $commentmode, $postmode, $format, $order, $cpage);
            } else {
                if (COMMENT_ON_SAME_PAGE) {
                    // Do nothing and do not show comment form (happens most likely when admin viewing draft article)
                } else {
                    // For comments not displayed on same page (probably owner pushed the post comment button on a draft article)
                    echo COM_refresh($_CONF['site_url'] . '/index.php');
            if ($is_comment_page) {
                $noindex = '<meta name="robots" content="noindex"' . XHTML . '>';
                $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[1], 'headercode' => $noindex));
    return $retval;
Esempio n. 5
 * article: saves a comment
 * @param   string  $title  comment title
 * @param   string  $comment comment text
 * @param   string  $id     Item id to which $cid belongs
 * @param   int     $pid    comment parent
 * @param   string  $postmode 'html' or 'text'
 * @return  mixed   false for failure, HTML string (redirect?) for success
function plugin_savecomment_article($title, $comment, $id, $pid, $postmode)
    global $_CONF, $_TABLES, $LANG03, $_USER;
    $retval = '';
    $commentcode = DB_getItem($_TABLES['stories'], 'commentcode', "(sid = '" . DB_escapeString($id) . "') AND (draft_flag = 0) AND (date <= NOW())" . COM_getPermSQL('AND'));
    if (!isset($commentcode) || $commentcode != 0) {
        return COM_refresh($_CONF['site_url'] . '/index.php');
    $ret = CMT_saveComment($title, $comment, $id, $pid, 'article', $postmode);
    if ($ret > 0) {
        // failure
        $msg = '';
        if (SESS_isSet('glfusion.commentpresave.error')) {
            $msg = COM_showMessageText(SESS_getVar('glfusion.commentpresave.error'), '', 1, 'error');
        } else {
            if (empty($title) || empty($comment)) {
                $msg = COM_showMessageText($LANG03[12], '', 1, 'error');
        $retval .= $msg . CMT_commentForm($title, $comment, $id, $pid, 'article', $LANG03[14], $postmode);
    } else {
        // success
        $comments = DB_count($_TABLES['comments'], array('type', 'sid'), array('article', $id));
        DB_change($_TABLES['stories'], 'comments', $comments, 'sid', $id);
        // update comment count in Older Stories block
        $retval = COM_refresh(COM_buildUrl($_CONF['site_url'] . "/article.php?story={$id}#comments"));
    return $retval;