コード例 #1
0
function Vote($post_ID, $user_ID, $type)
{
    global $wpdb;
    //Prevents SQL injection
    $p_ID = $wpdb->escape($post_ID);
    $u_ID = $wpdb->escape($user_ID);
    //Create entries if not existant
    SetPost($p_ID);
    SetUser($u_ID);
    //Gets the votes
    $votes_raw = $wpdb->get_var("SELECT votes FROM  " . $wpdb->prefix . "votes WHERE post='" . $p_ID . "'");
    $sinks_raw = $wpdb->get_var("SELECT usersinks FROM  " . $wpdb->prefix . "votes WHERE post='" . $p_ID . "'");
    $uservotes_raw = $wpdb->get_var("SELECT votes FROM " . $wpdb->prefix . "votes_users WHERE user='******'");
    $usersinks_raw = $wpdb->get_var("SELECT sinks FROM " . $wpdb->prefix . "votes_users WHERE user='******'");
    //Gets the votes in array form
    $votes = explode(",", $votes_raw);
    $sinks = explode(",", $sinks_raw);
    $uservotes = explode(",", $uservotes_raw);
    $usersinks = explode(",", $usersinks_raw);
    //Check if user voted
    if (!UserVoted($post_ID, $user_ID)) {
        //user hasn't vote, so the script allows the user to vote
        if ($type != 'sink') {
            //Add vote to array
            $user_var[0] = $u_ID;
            $post_var[0] = $p_ID;
            $votes_result = array_merge($votes, $user_var);
            $votes_result_raw = implode(",", $votes_result);
            $uservotes_result = array_merge($uservotes, $post_var);
            $uservotes_result_raw = implode(",", $uservotes_result);
            $sinks_result_raw = $sinks_raw;
            $usersinks_result_raw = $usersinks_raw;
        } else {
            //Add sink to array
            $user_var[0] = $u_ID;
            $post_var[0] = $p_ID;
            $sinks_result = array_merge($sinks, $user_var);
            $sinks_result_raw = implode(",", $sinks_result);
            $usersinks_result = array_merge($usersinks, $post_var);
            $usersinks_result_raw = implode(",", $usersinks_result);
            $votes_result_raw = $votes_raw;
            $uservotes_result_raw = $votesinks_raw;
        }
        //Prevents SQL injection
        $votes_result_sql = $wpdb->escape($votes_result_raw);
        $sinks_result_sql = $wpdb->escape($sinks_result_raw);
        $uservotes_result_sql = $wpdb->escape($uservotes_result_raw);
        $usersinks_result_sql = $wpdb->escape($usersinks_result_raw);
        //Update votes
        $wpdb->query("UPDATE " . $wpdb->prefix . "votes SET votes='" . $votes_result_sql . "' WHERE post='" . $p_ID . "'");
        $wpdb->query("UPDATE " . $wpdb->prefix . "votes SET usersinks='" . $sinks_result_sql . "' WHERE post='" . $p_ID . "'");
        $wpdb->query("UPDATE " . $wpdb->prefix . "votes_users SET votes='" . $uservotes_result_sql . "' WHERE user='******'");
        $wpdb->query("UPDATE " . $wpdb->prefix . "votes_users SET sinks='" . $usersinks_result_sql . "' WHERE user='******'");
        $result = 'true';
    } else {
        //The user voted, thus the script will not update the votes in the article
        $result = 'false';
    }
    return $result;
    //returns '' on failure, returns 'true' if votes were casted, returns 'false' if user already casted a vote
}
コード例 #2
0
function Vote($post_ID, $user_ID, $type)
{
    global $wpdb;
    // this shit has prevent sql injection but not the login check. :@ and 49.721 sites use this crap?
    if (!current_user_can('read')) {
        return false;
    }
    //Prevents SQL injection
    $p_ID = $wpdb->escape($post_ID);
    $u_ID = $wpdb->escape($user_ID);
    //Create entries if not existant
    SetPost($p_ID);
    SetUser($u_ID);
    //Gets the votes
    $votes_raw = $wpdb->get_var("SELECT votes FROM  " . $wpdb->prefix . "votes WHERE post='" . $p_ID . "'");
    $sinks_raw = $wpdb->get_var("SELECT usersinks FROM  " . $wpdb->prefix . "votes WHERE post='" . $p_ID . "'");
    $uservotes_raw = $wpdb->get_var("SELECT votes FROM " . $wpdb->prefix . "votes_users WHERE user='******'");
    $usersinks_raw = $wpdb->get_var("SELECT sinks FROM " . $wpdb->prefix . "votes_users WHERE user='******'");
    //Gets the votes in array form
    $votes = explode(",", $votes_raw);
    $sinks = explode(",", $sinks_raw);
    $uservotes = explode(",", $uservotes_raw);
    $usersinks = explode(",", $usersinks_raw);
    //Check if user voted
    if (!UserVoted($post_ID, $user_ID)) {
        //user hasn't vote, so the script allows the user to vote
        if ($type != 'sink') {
            //Add vote to array
            $user_var[0] = $u_ID;
            $post_var[0] = $p_ID;
            $votes_result = array_merge($votes, $user_var);
            $votes_result_raw = implode(",", $votes_result);
            $uservotes_result = array_merge($uservotes, $post_var);
            $uservotes_result_raw = implode(",", $uservotes_result);
            $sinks_result_raw = $sinks_raw;
            $usersinks_result_raw = $usersinks_raw;
        } else {
            //Add sink to array
            $user_var[0] = $u_ID;
            $post_var[0] = $p_ID;
            $sinks_result = array_merge($sinks, $user_var);
            $sinks_result_raw = implode(",", $sinks_result);
            $usersinks_result = array_merge($usersinks, $post_var);
            $usersinks_result_raw = implode(",", $usersinks_result);
            $votes_result_raw = $votes_raw;
            $uservotes_result_raw = $votesinks_raw;
        }
        //Prevents SQL injection
        $votes_result_sql = $wpdb->escape($votes_result_raw);
        $sinks_result_sql = $wpdb->escape($sinks_result_raw);
        $uservotes_result_sql = $wpdb->escape($uservotes_result_raw);
        $usersinks_result_sql = $wpdb->escape($usersinks_result_raw);
        //Update votes
        $wpdb->query("UPDATE " . $wpdb->prefix . "votes SET votes='" . $votes_result_sql . "' WHERE post='" . $p_ID . "'");
        $wpdb->query("UPDATE " . $wpdb->prefix . "votes SET usersinks='" . $sinks_result_sql . "' WHERE post='" . $p_ID . "'");
        $wpdb->query("UPDATE " . $wpdb->prefix . "votes_users SET votes='" . $uservotes_result_sql . "' WHERE user='******'");
        $wpdb->query("UPDATE " . $wpdb->prefix . "votes_users SET sinks='" . $usersinks_result_sql . "' WHERE user='******'");
        // can't fix much in this crap, so just adding GetVote as a quick hack to add the vote count to post meta
        $result = GetVotes($post_ID);
        update_post_meta($post_ID, 'votes', $result);
    } else {
        //The user voted, thus the script will not update the votes in the article
        //$result = 'false';
        // wtf? 'false'?
        // return votes count :)
        $result = GetVotes($post_ID);
    }
    return $result;
    //returns '' on failure, returns 'true' if votes were casted, returns 'false' if user already casted a vote
}