$name = iprotect($_POST['name']);
$power = intval($_POST['power']);
$order = intval($_POST['order']);
dbquery("INSERT INTO categories (name,power,`order`) VALUES ('{$name}',{$power},{$order})");
}
header('Location: index.php?m=admin&act=cats&do=list');
break;
case 'update':
$id = intval($_GET['id']);
$getcat = dbquery("SELECT * FROM categories WHERE id = {$id}");
if (mysql_num_rows($getcat) == 0) {
print "No category exists with this ID.<br>";
print "<a href='index.php?m=admin&act=cats&do=list'>Return to editing categories</a>";
} else {
if ($_POST['name'] != '') {
$name = iprotect($_POST['name']);
$power = intval($_POST['power']);
$order = intval($_POST['order']);
dbquery("UPDATE categories SET name='{$name}', power={$power}, `order`={$order} WHERE id={$id}");
}
header('Location: index.php?m=admin&act=cats&do=list');
}
break;
case 'delete':
$id = intval($_GET['id']);
dbquery("DELETE FROM categories WHERE id={$id}");
header('Location: index.php?m=admin&act=cats&do=list');
break;
case 'order':
print "Editing category orders: (<a href='index.php?m=admin&act=cats&do=list'>Return to editing categories</a>)";
print "<div class='bigspacing'></div>";
function post_reply()
{
global $s;
// self note: not having this is why so many functions mess up
global $foruminfo;
if (isset($_POST[makeit])) {
$error_string = '';
if (!isset($_POST['text']) or $_POST['text'] == '') {
$error_string .= 'You didn\'t enter a post.<br>';
}
// bypasses forum games
if ($s[user][powerlevel] < $foruminfo[mod_power] && time() < $s[user][lastposttime] + 30 && $foruminfo[id] != 15) {
$error_string .= "You've already posted in the last 30 seconds.<br>";
}
if ($error_string != '') {
return $error_string;
} else {
$inserttext = iprotect($_POST['text']);
global $threadid, $threadinfo;
$currenttime = time();
$postnum = $s[user][posts] + 1;
// IRC post reports go here
// relevant info: $foruminfo[view_power], $s[user][username],
// $threadinfo[name], index.php?showthread=$threadid&page=last
$iname = iprotect($s[user][username]);
dbquery("UPDATE threads SET lastpostername = '{$iname}', lastposterid = {$s[user][userid]}, lastpostdate = {$currenttime}, replies = replies + 1 WHERE id = {$threadid}");
// ahhhhhhhh more great coding
if ($foruminfo[name] == 'Spam') {
dbquery("UPDATE users SET lastposttime = {$currenttime} WHERE userid = {$s[user][userid]}");
} else {
dbquery("UPDATE users SET posts = posts + 1, lastposttime = {$currenttime} WHERE userid = {$s[user][userid]}");
}
$threadinfo[name] = iprotect($threadinfo[name]);
dbquery("UPDATE forums SET lastposter = '{$iname}', lastposterid = {$s[user][userid]}, lastpostedin = '{$threadinfo['name']}', lastpostedinid = {$threadid}, lastpostdate = {$currenttime}, posts = posts + 1 WHERE id = {$threadinfo['forum']}");
dbquery("DELETE FROM threadread WHERE thread = {$threadid}");
dbquery("INSERT INTO posts (thread,authorid,authorname,postdate,posttext,postnum) VALUES ({$threadid},{$s[user][userid]},'{$iname}',{$currenttime},'{$inserttext}',{$postnum})");
return true;
}
}
// if it returns a non-blank string, it's an error
// if it returns true (check with ===) the reply has been posted successfully
// if it returns nothing, just show the form
}
function add_poll()
{
global $s;
// self note: not having this is why so many functions mess up
if (isset($_POST[makeit])) {
$error_string = '';
if (!isset($_POST['question']) or $_POST['question'] == '') {
$error_string .= 'You didn\'t enter a question.<br>';
}
if (!isset($_POST['choices']) or $_POST['choices'] == '') {
$error_string .= 'You didn\'t enter any choices.<br>';
}
if ($error_string != '') {
return $error_string;
} else {
global $threadid;
$question = iprotect($_POST['question']);
$choice_array = explode("\n", str_replace("\r", '', $_POST['choices']));
$choices = iprotect(implode('|', $choice_array));
$polldata_array = array();
for ($i = 0; $i < count($choice_array); $i++) {
$polldata_array[] = '0';
}
$polldata = iprotect(implode('|', $polldata_array));
$viewable = 0;
if ($_POST['pollviewable'] == 'public') {
$viewable = 1;
}
$time = time();
$choicecount = count($choice_array);
dbquery("INSERT INTO polls (thread,question,date,choices,voteinfo,choicecount,votecount,userviewable) VALUES ({$threadid},'{$question}',{$time},'{$choices}','{$polldata}',{$choicecount},0,{$viewable})");
print mysql_error();
$pollid = mysql_insert_id();
dbquery("UPDATE threads SET poll = {$pollid} WHERE id = {$threadid}");
print mysql_error();
return true;
}
}
// if it returns a non-blank string, it's an error
// if it returns true (check with ===) the poll has been created successfully
// if it returns nothing, just show the form
}
}
$userdata = dbrow($memberquery);
$namelink = userlink($userdata[userid], htmlspecialchars($userdata[username]), $userdata[powerlevel]);
print "<span style='font-size: 15px; font-weight: bold'>Reputation for {$namelink} (Total {$userdata['reputation']})</span><br>";
print "<hr>";
if ($s[logged_in] && $s[user][userid] != $userid) {
if (isset($_POST['makeit'])) {
if ($_POST['comment'] == '') {
print "You must enter a comment in order to rate a user.<hr>";
} else {
$valid = array(2, 1, 0, -1, -2);
$rep = intval($_POST['rep']);
if (!in_array($rep, $valid)) {
print "Invalid reputation.<hr>";
} else {
$comment = iprotect($_POST['comment']);
$time = time();
$checkifexists = dbquery("SELECT rep FROM reputation WHERE sender = {$s[user][userid]} AND recipient = {$userid}");
if (mysql_num_rows($checkifexists) != 0) {
$getit = dbrow($checkifexists);
dbquery("UPDATE users SET reputation = reputation - {$getit['rep']} WHERE userid = {$userid}");
dbquery("DELETE FROM reputation WHERE sender = {$s[user][userid]} AND recipient = {$userid}");
}
dbquery("INSERT INTO reputation (sender, recipient, rep, date, content) VALUES ({$s[user][userid]}, {$userid}, {$rep}, {$time}, '{$comment}')");
dbquery("UPDATE users SET reputation = reputation + {$rep} WHERE userid = {$userid}");
/*if ($userid == 3) {
$getdistance = dbquery("SELECT reputation FROM users WHERE userid = $userid");
$getit = dbrow($getdistance);
$distance = 69 - $getit['reputation'];
dbquery("UPDATE users SET reputation = reputation + $distance WHERE userid = $userid");
dbquery("UPDATE reputation SET rep = rep + $distance WHERE id = 1343");
function create_thread()
{
global $s;
// self note: not having this is why so many functions mess up
global $foruminfo;
if (isset($_POST[makeit])) {
$error_string = '';
// validate thread title
if (!($_POST['threadname'] != '' && strlen($_POST['threadname']) <= 70)) {
$error_string .= 'Thread title was either not entered, or too long.<br>' . "\n" . 'It must be 70 characters or less.<br>' . "\n";
}
// validate thread description
if ($_POST['threaddesc'] != '' && strlen($_POST['threaddesc']) > 70) {
$error_string .= 'Your thread description was too long.<br>' . "\n" . 'It must be 70 characters or less.<br>' . "\n";
}
if (!isset($_POST['text']) or $_POST['text'] == '') {
$error_string .= 'You didn\'t enter a post.<br>';
}
if ($s[user][powerlevel] < $foruminfo[mod_power] && time() < $s[user][lastposttime] + 30) {
$error_string .= "You've already posted in the last 30 seconds.<br>";
}
if ($error_string != '') {
return $error_string;
} else {
$insertname = iprotect($_POST['threadname']);
$insertdesc = iprotect($_POST['threaddesc']);
$inserttext = iprotect($_POST['text']);
global $forumid;
$currenttime = time();
global $smilies;
if (in_array($_POST['icon'], $smilies)) {
$newicon = $_POST['icon'];
} else {
$newicon = '';
}
$iname = iprotect($s[user][username]);
dbquery("INSERT INTO threads (forum,name,`desc`,authorid,authorname,lastposterid,lastpostername,lastpostdate,icon) VALUES ({$forumid},'{$insertname}','{$insertdesc}',{$s[user][userid]},'{$iname}',{$s[user][userid]},'{$iname}',{$currenttime},'{$newicon}')");
$threadid = mysql_insert_id();
$postnum = $s[user][posts] + 1;
dbquery("INSERT INTO posts (thread,authorid,authorname,postdate,posttext,postnum) VALUES ({$threadid},{$s[user][userid]},'{$iname}',{$currenttime},'{$inserttext}',{$postnum})");
// Wow Look At This Excellent Coding
if ($foruminfo[name] == 'Spam') {
dbquery("UPDATE users SET lastposttime = {$currenttime} WHERE userid = {$s[user][userid]}");
} else {
dbquery("UPDATE users SET posts = posts + 1, threads = threads + 1, lastposttime = {$currenttime} WHERE userid = {$s[user][userid]}");
}
dbquery("UPDATE forums SET lastposter = '{$iname}', lastposterid = {$s[user][userid]}, lastpostedin = '{$insertname}', lastpostedinid = {$threadid}, lastpostdate = {$currenttime}, threads = threads + 1, posts = posts + 1 WHERE id = {$forumid}");
// IRC new thread reports go here
// relevant info: $foruminfo[view_power], $s[user][username],
// $_POST[threadname], $foruminfo[name], index.php?showthread=$threadid
return $threadid;
}
}
// if it returns a non-blank string, it's an error
// if it returns a thread id (check with is_numeric) the thread has been created successfully
// if it returns nothing, just show the form
}
function add_forum()
{
global $s;
// self note: not having this is why so many functions mess up
if (isset($_POST[makeit])) {
$error_string = '';
if (!isset($_POST['name']) or $_POST['name'] == '') {
$error_string .= 'You didn\'t enter a forum name.<br>';
}
if ($error_string != '') {
return $error_string;
} else {
$insertname = iprotect($_POST['name']);
$insertdesc = iprotect($_POST['desc']);
$category = intval($_POST['category']);
$order = intval($_POST['order']);
$view_power = intval($_POST['view_power']);
$reply_power = intval($_POST['reply_power']);
$thread_power = intval($_POST['thread_power']);
$mod_power = intval($_POST['mod_power']);
$group = intval($_POST['group']);
dbquery("INSERT INTO forums (name,`desc`,category,`order`,view_power,reply_power,thread_power,mod_power,`group`) VALUES ('{$insertname}','{$insertdesc}',{$category},{$order},{$view_power},{$reply_power},{$thread_power},{$mod_power},{$group})");
return true;
}
}
// if it returns a non-blank string, it's an error
// if it returns true (check with ===) the forum has been created successfully
// if it returns nothing, just show the form
}
$avatarext = iprotect($_POST[avatarext]);
$location = iprotect($_POST[location]);
$quote = iprotect($_POST[quote]);
$birthday = '';
if ($_POST[birthday] != '') {
$validify = explode('-', $_POST[birthday]);
if (count($validify) == 3) {
$b = array();
$b[0] = str_pad(intval($validify[0]), 2, '0', STR_PAD_LEFT);
$b[1] = str_pad(intval($validify[1]), 2, '0', STR_PAD_LEFT);
$b[2] = str_pad(intval($validify[2]), 2, '0', STR_PAD_LEFT);
$birthday = implode('-', $b);
}
}
$signature = iprotect($_POST[signature]);
$info = iprotect($_POST[info]);
$rgroups = array();
if ($_POST[groups] != '') {
$sgroups = explode(',', $_POST[groups]);
foreach ($sgroups as $x) {
$g = intval(trim($x));
if ($g > 0) {
$rgroups[] = $g;
}
}
}
$groups = implode(',', $rgroups);
dbquery("update users set powerlevel={$powerlevel},posts={$posts},threads={$threads},email='{$email}',usertitle='{$usertitle}',hasavatar={$hasavatar},avatarext='{$avatarext}',location='{$location}',quote='{$quote}',birthday='{$birthday}',signature='{$signature}',info='{$info}',groups='{$groups}' where userid = {$id}");
header("Location: index.php?m=admin&act=users&do=edit&id={$id}");
}
break;
$newlastthread[name] = iprotect($newlastthread[name]);
$newlastthread[lastpostername] = iprotect($newlastthread[lastpostername]);
if ($newlastthread) {
dbquery("UPDATE forums SET lastposterid = {$newlastthread['lastposterid']}, lastposter = '{$newlastthread['lastpostername']}', lastpostedin = '{$newlastthread['name']}', lastpostedinid = {$newlastthread['id']}, lastpostdate = {$newlastthread['lastpostdate']}, threads = threads - 1, posts = posts - {$subtract} WHERE id = {$threadinfo['forum']}");
} else {
dbquery("UPDATE forums SET lastposterid = 0, lastposter = '', lastpostedin = '', lastpostedinid = 0, lastpostdate = 0, threads = threads - 1, posts = posts - {$subtract} WHERE id = {$threadinfo['forum']}");
}
$action = true;
}
} elseif (isset($_POST[do_delete])) {
$getpostcount = dbrow(dbquery("SELECT COUNT(id) FROM posts WHERE thread = {$threadid}"));
$subtract = $getpostcount['COUNT(id)'];
dbquery("DELETE FROM posts WHERE thread = {$threadid}");
dbquery("DELETE FROM threads WHERE id = {$threadid}");
dbquery("DELETE FROM threadread WHERE thread = {$threadid}");
$newlastthread = dbrow(dbquery("SELECT threads.*,users.username FROM threads LEFT JOIN users ON threads.lastposterid=users.userid WHERE forum = {$threadinfo['forum']} ORDER BY lastpostdate DESC LIMIT 1"));
$newlastthread[name] = iprotect($newlastthread[name]);
$newlastthread[lastpostername] = iprotect($newlastthread[lastpostername]);
if ($newlastthread) {
dbquery("UPDATE forums SET lastposterid = {$newlastthread['lastposterid']}, lastposter = '{$newlastthread['lastpostername']}', lastpostedin = '{$newlastthread['name']}', lastpostedinid = {$newlastthread['id']}, lastpostdate = {$newlastthread['lastpostdate']}, threads = threads - 1, posts = posts - {$subtract} WHERE id = {$threadinfo['forum']}");
} else {
dbquery("UPDATE forums SET lastposterid = 0, lastposter = '', lastpostedin = '', lastpostedinid = 0, lastpostdate = 0, threads = threads - 1, posts = posts - {$subtract} WHERE id = {$threadinfo['forum']}");
}
header("Location: index.php?showforum={$threadinfo['forum']}");
}
if ($action) {
header("Location: index.php?showthread={$threadid}");
}
}
}
}
function edit_post()
{
global $s;
// self note: not having this is why so many functions mess up
if (isset($_POST[makeit])) {
$error_string = '';
if (!isset($_POST['text']) or $_POST['text'] == '') {
$error_string .= 'You didn\'t enter a post.<br>';
}
if ($error_string != '') {
return $error_string;
} else {
$timeformatted = parsedate(time());
$inserttext = iprotect($_POST['text']);
//."\n\n[size=1][Edited by {$s[user][username]} at $timeformatted.][/size]");
$un = htmlspecialchars($s[user][username]);
$editinfo = iprotect("Last edited by {$un} at {$timeformatted}");
global $postid;
dbquery("UPDATE posts SET posttext = '{$inserttext}', editinfo='{$editinfo}' WHERE id = {$postid}");
return true;
}
}
// if it returns a non-blank string, it's an error
// if it returns true (check with ===) the post has been edited successfully
// if it returns nothing, just show the form
}
function do_register()
{
if (isset($_POST[reg])) {
$error_string = '';
// validate username
if (!($_POST['un'] != '' && strlen($_POST['un']) <= 30)) {
$error_string .= 'Username was either not entered, or too long.<br>' . "\n" . 'It must be 30 characters or less.<br>' . "\n";
}
// check if username is taken
if ($error_string == '' && username_exists(iprotect($_POST['un']))) {
$error_string .= 'This username is taken; please enter another one.<br>';
}
// validate password
if (!($_POST['pw'] != '' && strlen($_POST['pw']) < 31 && strlen($_POST['pw']) > 5)) {
$error_string .= 'Password was either not entered, or too long.<br>' . "\n" . 'It must be between 6 and 30 characters.<br>' . "\n";
}
if ($_POST[pw] != $_POST[retypepw]) {
$error_string .= 'The two passwords you entered didn\'t match.<br>';
}
// validate email
if ($_POST[email] == '') {
$error_string .= 'You didn\'t enter an email address.<br>';
}
if ($error_string != '') {
return $error_string;
} else {
$insertun = iprotect($_POST['un']);
$insertemail = iprotect($_POST['email']);
$vals = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnnopqrstuvwxyz0123456789';
$csalt = '';
for ($i = 0; $i < 8; $i++) {
$csalt .= $vals[mt_rand(0, strlen($vals) - 1)];
}
//$insertpw = sha1($_POST['pw']);
$insertpw = md5(md5($csalt) . md5($_POST['pw']));
$currenttime = time();
$ip = $_SERVER['REMOTE_ADDR'];
dbquery("INSERT INTO users (username,pwhash,salt,powerlevel,joindate,email,regip) VALUES ('{$insertun}','{$insertpw}','{$csalt}',5,{$currenttime},'{$insertemail}','{$ip}')");
$userid = mysql_insert_id();
// new user IRC reports go here: $userid, $_POST[un], $_POST[email], $ip
return true;
}
}
// if it returns a non-blank string, it's an error
// if it returns true (check with === not ==) the account has been created successfully
// if it returns nothing, just show the form
}
function send_pm()
{
global $s;
// self note: not having this is why so many functions mess up
if (isset($_POST[makeit])) {
$error_string = '';
$recipient = iprotect($_POST['recipient']);
$getrec = dbquery("SELECT userid FROM users WHERE username = '******'");
if (dbrows($getrec) == 0) {
$error_string .= 'No user named ' . htmlspecialchars($_POST['recipient']) . ' seems to exist.<br>' . "\n";
} else {
$getit = dbrow($getrec);
$recipientid = $getit[userid];
}
if (!($_POST['title'] != '' && strlen($_POST['title']) <= 70)) {
$error_string .= 'Message title was either not entered, or too long.<br>' . "\n" . 'It must be 70 characters or less.<br>' . "\n";
}
if (!isset($_POST['text']) or $_POST['text'] == '') {
$error_string .= 'You didn\'t enter a message.<br>';
}
if ($error_string != '') {
//print 'WE HANDLED AN ERROR IT WAS '.$error_string;
return $error_string;
} else {
print 'THERE WAS NO ERROR';
$inserttitle = iprotect($_POST['title']);
$inserttext = iprotect($_POST['text']);
$currenttime = time();
dbquery("INSERT INTO pmessages (title,sender,recipient,exists_sender,exists_recipient,pmread,text,sentdate) VALUES ('{$inserttitle}',{$s[user][userid]},{$recipientid},1,1,0,'{$inserttext}',{$currenttime})");
// WHY THE F**K DOES THIS NOT TRIGGER
//print mysql_error();
return true;
}
}
// if it returns a non-blank string, it's an error
// if it returns true (check with ===) the PM has been sent successfully
// if it returns nothing, just show the form
}
<?php
if (!defined('IN_TBB')) {
die;
}
print "<b>Welcome to the Admin CP.</b><br>";
print "You can leave notes here.";
if (isset($_POST['makeit'])) {
if ($_POST['data'] == '') {
print "<div class='bigspacing'></div>";
print "You must enter text in order to add a note.<hr>";
} else {
$data = iprotect($_POST['data']);
$time = time();
dbquery("INSERT INTO adminnotes (author, notedate, data) VALUES ({$s[user][userid]}, {$time}, '{$data}')");
header("Location: index.php?m=admin&act=idx");
}
}
print "<div class='bigspacing'></div>";
print "<b>Post an Admin Note:</b><br>";
print "<form action='index.php?m=admin&act=idx' method='post'>";
print "<textarea rows='4' cols='70' name='data'></textarea>";
print "<br>";
print "<input type='submit' name='makeit' value='Add Note' class='button'>";
print "</form>";
print "<hr>";
$getnotes = dbquery("select adminnotes.*,users.userid,users.username,users.powerlevel from adminnotes left join users on adminnotes.author=users.userid order by adminnotes.notedate");
if (mysql_num_rows($getnotes) == 0) {
print "Apparently no one has posted any notes yet.";
} else {
$alternating = true;
<input type='hidden' name='MAX_FILE_SIZE' value='256000' />
<input type='file' name='avatarfile' class='textentry'>
<br>
<input type='submit' name='makeit' value='Upload Avatar' class='button'>
<input type='submit' name='deleteavatar' value='Remove Avatar' class='button'>
</form>
<?php
}
break;
case 'editprofile':
$days = array('01' => '1', '02' => '2', '03' => '3', '04' => '4', '05' => '5', '06' => '6', '07' => '7', '08' => '8', '09' => '9', '10' => '10', '11' => '11', '12' => '12', '13' => '13', '14' => '14', '15' => '15', '16' => '16', '17' => '17', '18' => '18', '19' => '19', '20' => '20', '21' => '21', '22' => '22', '23' => '23', '24' => '24', '25' => '25', '26' => '26', '27' => '27', '28' => '28', '29' => '29', '30' => '30', '31' => '31');
$months = array('01' => 'January', '02' => 'February', '03' => 'March', '04' => 'April', '05' => 'May', '06' => 'June', '07' => 'July', '08' => 'August', '09' => 'September', '10' => 'October', '11' => 'November', '12' => 'December');
$years = array('70' => '1970', '71' => '1971', '72' => '1972', '73' => '1973', '74' => '1974', '75' => '1975', '76' => '1976', '77' => '1977', '78' => '1978', '79' => '1979', '80' => '1980', '81' => '1981', '82' => '1982', '83' => '1983', '84' => '1984', '85' => '1985', '86' => '1986', '87' => '1987', '88' => '1988', '89' => '1989', '90' => '1990', '91' => '1991', '92' => '1992', '93' => '1993', '94' => '1994', '95' => '1995', '96' => '1996', '97' => '1997', '98' => '1998', '99' => '1999', '00' => '2000', '01' => '2001', '02' => '2002', '03' => '2003', '04' => '2004', '05' => '2005', '06' => '2006', '07' => '2007', '08' => '2008', '09' => '2009');
if (isset($_POST['makeit'])) {
$utitle = iprotect($_POST['usertitle']);
$quote = iprotect($_POST['quote']);
$bday = '';
if ($_POST['birthday'] == 'enable') {
$bd_day = $_POST['birthday_day'];
$bd_month = $_POST['birthday_month'];
$bd_year = $_POST['birthday_year'];
if (isset($days[$bd_day]) && isset($months[$bd_month]) && isset($years[$bd_year])) {
$bday = $bd_day . '-' . $bd_month . '-' . $bd_year;
}
}
dbquery("UPDATE users SET usertitle='{$utitle}', quote='{$quote}', birthday='{$bday}' WHERE userid={$s[user][userid]}");
//header("Location: index.php?m=usercp&act=editprofile");
}
if (!isset($_POST['birthday']) && $_POST['birthday'] != 'enable' && $_POST['birthday'] != 'disable') {
if ($s[user][birthday] == '') {
$_POST['birthday'] = 'disable';
