function DBSaveComment($cid, $parentPost, $parentComment, $content, $user_id, $deleted) { $date = getTime(); global $db; $stmt = $db->stmt_init(); if ($stmt->prepare('CALL Check_Comment_Owner(?, ?)')) { $stmt->bind_param('ii', $cid, $user_id); $stmt->execute(); $stmt->bind_result($result); $stmt->fetch(); $stmt->close(); if ($result == 0 || $cid == -1) { $db->next_result(); $stmt = $db->stmt_init(); if ($stmt->prepare('CALL Save_User_Comment(?, ?, ?, ?, ?, ?,?,?)')) { $stmt->bind_param('iiissiii', $cid, $parentPost, $parentComment, $user_id, $content, $deleted, $date, $date); $stmt->execute(); $stmt->bind_result($comment['parentComment'], $comment['comment_no'], $comment['user_id'], $comment['user_name'], $comment['content'], $comment['date'], $comment['deleted']); $stmt->fetch(); $stmt->close(); $commentId = $comment['comment_no']; if ($commentId > 0) { $encoded_comment_id = str_replace("/", "SLASH", fnEncrypt("c" . $commentId)); $user_dir = "../tmp/" . $user_id . "/"; $target_dir = "../upload/" . $encoded_comment_id . "/"; $files = directory_to_array($user_dir); // if there are more than 0 files in the ../tmp/[UserID] directory if (sizeof($files) > 0) { // if ../upload/[UserID] direcoty does not exists, create the directory if (!(file_exists($target_dir) && is_dir($target_dir))) { @mkdir($target_dir, 0777, true); } else { //delete all files } $index = 0; while ($file = $files[$index++]) { $filesize = filesize($file); $filealias = end(explode("/", $file)); $fileextension = end(explode(".", $filealias)); $filename = substr($filealias, 14); $fileDirectory = $target_dir . $filename; $fileAddress = publicUrl . "/upload/" . $encoded_comment_id . "/" . $filename; //DB Save $result = DBSaveUploadFile($fileextension, -1, $commentId, $filesize, $fileDirectory, $fileAddress); //Check Image is in the DOM $doc = new DOMDocument(); @$doc->loadHTML(mb_convert_encoding($content, 'HTML-ENTITIES', 'UTF-8')); $tags = $doc->getElementsByTagName('img'); foreach ($tags as $tag) { $source = $tag->getAttribute('src'); if ($source == $user_dir . $filealias) { $tag->removeAttribute('src'); $tag->setAttribute('src', $fileDirectory); } } $newContent = @$doc->saveHTML('body'); $newContent = str_replace('<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">', '', $newContent); $db->next_result(); $stmt = $db->stmt_init(); //htmlspecialchars($title, ENT_HTML401, 'UTF-8', false) if ($stmt->prepare('CALL Save_User_Comment(?, ?, ?, ?, ?, ?,?,?)')) { $stmt->bind_param('iiissiii', $commentId, $parentPost, $parentComment, $user_id, $content, $deleted, $date, $date); $stmt->execute(); $stmt->bind_result($comment['parentComment'], $comment['comment_no'], $comment['user_id'], $comment['user_name'], $comment['content'], $comment['date'], $comment['deleted']); $stmt->fetch(); $stmt->close(); } //Move file from /tmp/ to /upload/ rename($file, $user_dir . $filename); copy($user_dir . $filename, $target_dir . $filename); unlink($user_dir . $filename); } } } $returnArray = array(); $dateFormatted = format_date($comment['date']); $returnArray['commentId'] = $comment['comment_no']; $returnArray['deleted'] = false; $returnArray['parentCommentId'] = $comment['parentComment']; $returnArray['canEdit'] = true; $returnArray['canComment'] = true; $returnArray['authorUserId'] = $comment['user_id']; $returnArray['author'] = $comment['user_name']; $returnArray['authorEmail'] = $comment['author_email']; $returnArray['content'] = $comment['content']; $returnArray['date'] = $comment['date']; $returnArray['date'] = $dateFormatted[1]; $returnArray['children'] = array(); } } } return json_encode_unescaped($returnArray); }
function DBSavePost($post_id, $pinned, $boardName, $title, $content, $user_id, $added_tags, $deleted_tags, $addedFiles, $deletedFiles) { //echo json_encode_unescaped($addedFiles); $date = getTime(); global $db; $stmt = $db->stmt_init(); if ($pinned && $_SESSION['UserLevel'] > exec_level) { $pinned = false; } if ($stmt->prepare('CALL Check_Post_Owner(?,?)')) { $stmt->bind_param('ii', $post_id, $user_id); $stmt->execute(); $stmt->bind_result($result); $stmt->fetch(); $stmt->close(); if ($result == 0 || $post_id == -1) { $db->next_result(); $stmt = $db->stmt_init(); //htmlspecialchars($title, ENT_HTML401, 'UTF-8', false) if ($stmt->prepare('CALL Save_Post(?,?,?,?,?,?,?,?)')) { $stmt->bind_param('isiissii', $post_id, $boardName, $user_id, $pinned, $title, $content, $date, $date); $stmt->execute(); $post_id_out = NULL; $stmt->bind_result($post_id_out); $stmt->fetch(); $stmt->close(); if ($added_tags != null) { for ($t = 0; $t < sizeof($added_tags); $t++) { DBSavePostTag($post_id_out, $added_tags[$t], "Save"); } } if ($deleted_tags != null) { for ($t = 0; $t < sizeof($deleted_tags); $t++) { DBSavePostTag($post_id_out, $deleted_tags[$t], "Delete"); } } if ($post_id_out > 0) { $encoded_post_id = str_replace("/", "SLASH", fnEncrypt("p" . $post_id_out)); $user_dir = "../tmp/" . $user_id . "/"; $target_dir = "../upload/" . $encoded_post_id . "/"; // if there are more than 0 files in the ../tmp/[UserID] directory if (sizeof($addedFiles) > 0) { $currentfiles = directory_to_array($user_dir); $index = 0; while ($existingFile = $currentfiles[$index++]) { $alias = end(split("/", $existingFile)); $array = split("-", $alias); $fileTime = $array[0] / 1000; $time = getTime(); if ($time - $fileTime > 86400) { unlink($existingFile); } } // if ../upload/[UserID] direcoty does not exists, create the directory if (!(file_exists($target_dir) && is_dir($target_dir))) { @mkdir($target_dir, 0777, true); } $index = 0; while ($file = $addedFiles[$index++]['file']) { $filesize = filesize($user_dir . $file['alias']); $filealias = $file['alias']; $fileextension = end(explode(".", $filealias)); $filename = $file['name']; //echo "{filealias:" . $filealias . "\n filename:" . $filename ."}"; $filename_no_ext = substr($filename, 0, strlen($filename) - strlen($fileextension) - 1); $oldfilename = $filename; $fileSufix = ''; $fileCounter = 1; while (file_exists($target_dir . $filename)) { $filename = $filename_no_ext . '(' . $fileCounter . ').' . $fileextension; $fileCounter++; } $fileDirectory = $target_dir . $filename; $fileAddress = publicUrl . "/upload/" . $encoded_post_id . "/" . $filename; //DB Save $result = DBSaveUploadFile($fileextension, $post_id_out, -1, $filesize, $fileDirectory, $fileAddress, $filename); //Check Image is in the DOM $doc = new DOMDocument(); @$doc->loadHTML(mb_convert_encoding(str_replace("&", "&", $content), 'HTML-ENTITIES', 'UTF-8')); $tags = $doc->getElementsByTagName('img'); foreach ($tags as $tag) { $source = $tag->getAttribute('src'); //echo "\r\noriginal source: " . $source; // BYUNGHOON: !==false, ===false is the proper+safe way to check strpos if (strpos($source, $filealias) !== false && strpos($source, "\\/upload\\/") === false) { $tag->removeAttribute('src'); $tag->setAttribute('src', $fileAddress); //echo "fileaddress: " . $fileAddress . " \t"; } } $newContent = @$doc->saveHTML(); $newContent = str_replace('<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">', '', $newContent); $newContent = str_replace("&", "&", $newContent); $content = $newContent; $db->next_result(); $stmt = $db->stmt_init(); //htmlspecialchars($title, ENT_HTML401, 'UTF-8', false) if ($stmt->prepare('CALL Save_Post(?,?,?,?,?,?,?,?)')) { $stmt->bind_param('isiissii', $post_id_out, $boardName, $user_id, $pinned, $title, $content, $date, $date); $stmt->execute(); $post_id_out = NULL; $stmt->bind_result($post_id_out); $stmt->fetch(); $stmt->close(); } //Move file from /tmp/ to /upload/ rename($user_dir . $filealias, $user_dir . $filename); copy($user_dir . $filename, $target_dir . $filename); unlink($user_dir . $filename); } } } if ($deletedFiles != null) { foreach ($deletedFiles as $filename) { $encoded_post_id = str_replace("/", "SLASH", fnEncrypt("p" . $post_id_out)); $target_dir = "../upload/" . $encoded_post_id . "/" . $filename; if (file_exists($target_dir)) { unlink($target_dir); } $db->next_result(); $stmt = $db->stmt_init(); if ($stmt->prepare('CALL Delete_Post_File(?, ?)')) { $stmt->bind_param('is', $post_id, $filename); $stmt->execute(); $stmt->close(); } } } return $post_id_out; } } } return -1; }