function check_login($username, $password, $remember = true)
{
$db = get_db_read();
# Get the salt and check if the user exists at the same time
$result = try_mysql_query("SELECT salt FROM users WHERE username = '******'", $db);
if (mysql_num_rows($result) != 1) {
return null;
}
$row = mysql_fetch_assoc($result);
$salt = $row['salt'];
mysql_free_result($result);
$hashed_password = hash_password($password, $salt);
$ret = get_user_info($db, $username, $hashed_password);
if ($ret == null) {
return null;
}
if ($remember == true) {
setcookie("username", $username, time() + 60 * 60 * 24 * 3000);
setcookie("password", $hashed_password, time() + 60 * 60 * 24 * 3000);
}
$_SESSION["username"] = $username;
return $ret;
}
$pictures_result = try_mysql_query("SELECT * FROM pictures WHERE category_id='{$category_id}'", $db_read);
while ($row = mysql_fetch_assoc($pictures_result)) {
try_mysql_query("DELETE FROM comments WHERE picture_id='" . $pictures_result['picture_id'] . "'", $db_write);
}
mysql_free_result($pictures_result);
try_mysql_query("DELETE FROM pictures WHERE category_id='{$category_id}'", $db_write);
try_mysql_query("DELETE FROM categories WHERE category_id='{$category_id}'", $db_write);
show_message_redirect("Category deleted", "show_user.php?user_id=" . $assoc['user_id']);
} else {
# The user is deleting a picture
$picture_id = $_GET['picture_id'];
if (is_numeric($picture_id) == false) {
redirect_back();
}
// Get the category
$result = try_mysql_query("SELECT user_id,pictures.category_id FROM categories,pictures WHERE categories.category_id = pictures.category_id AND picture_id = {$picture_id}", $db_read);
$assoc = mysql_fetch_assoc($result);
mysql_free_result($result);
if ($me['admin'] != 1 && $assoc['user_id'] != $me['user_id']) {
show_error_redirect_back("Access denied");
}
try_mysql_query("DELETE FROM pictures WHERE picture_id = '{$picture_id}'", $db_write);
try_mysql_query("DELETE FROM comments WHERE picture_id = '{$picture_id}'", $db_write);
show_message_redirect("Picture deleted", "show_category.php?category_id=" . $assoc['category_id']);
}
?>
if ($action == 'authorize') {
if (isset($user_id) == false) {
show_error_redirect_back('No user_id specified');
}
try_mysql_query("UPDATE users SET authorized='1' WHERE user_id='{$user_id}'", $db_write);
show_message_redirect_back("User successfully authorized.");
} else {
if ($action == 'promote') {
if (isset($user_id) == false) {
show_error_redirect_back('No user_id specified');
}
try_mysql_query("UPDATE users SET admin='1' WHERE user_id='{$user_id}'", $db_write);
show_message_redirect_back("User successfully granted admin privilidges");
} else {
if ($action == 'demote') {
if (isset($user_id) == false) {
show_error_redirect_back('No user_id specified');
}
try_mysql_query("UPDATE users SET admin='0' WHERE user_id='{$user_id}'", $db_write);
show_message_redirect_back("User successfully revoked admin privilidges");
} else {
show_error_redirect_back("Unknown action");
}
}
}
?>
$title = mysql_escape_string(htmlentities(trim($_POST['title'])));
$caption = mysql_escape_string(nl2br(htmlentities(trim($_POST['caption']))));
$category = get_category_by_category_id($_POST['category_id'], $db_read);
if (validate_title($title) == false) {
show_error_redirect_back("Invalid title. Titles have to be 0-{$max_length_title} characters.");
}
if (validate_comment($caption) == false) {
show_error_redirect_back("Invalid caption. Captions have to be 0-{$max_length_comment} characters.");
}
# Make sure he's uploading to his own category
$result = try_mysql_query("SELECT * FROM categories WHERE user_id='" . $me['user_id'] . "' AND category_id='" . $category['category_id'] . "'", $db_read);
if (mysql_num_rows($result) == 0) {
show_error_redirect_back("Invalid category.");
}
mysql_free_result($result);
# Insert the new picture
try_mysql_query("INSERT INTO pictures (category_id, title, filename, caption, date_added) VALUES ('" . $category['category_id'] . "', '{$title}', '{$image_filename}', '{$caption}', NOW())", $db_write);
$picture_id = mysql_insert_id($db_write);
# Update the las modified category (used for the default selection in the category combo)
try_mysql_query("UPDATE users SET last_category='" . $category['category_id'] . "' WHERE user_id='" . $me['user_id'] . "'", $db_write);
# Update the last modified time for the private user/category
try_mysql_query("UPDATE users SET last_updated=NOW() WHERE user_id='" . $me['user_id'] . "'", $db_write);
try_mysql_query("UPDATE categories SET last_updated=NOW() WHERE category_id='" . $category['category_id'] . "'", $db_write);
# Set the last modified time for the public user/category
if ($category['private'] != '1') {
try_mysql_query("UPDATE users SET last_updated_public=NOW() WHERE user_id='" . $me['user_id'] . "'", $db_write);
try_mysql_query("UPDATE categories SET last_updated_public=NOW() WHERE category_id='" . $category['category_id'] . "'", $db_write);
}
$user_ids = get_emails_notify_pictures($db_read);
smtp_send($user_ids, "OSPAP - New Picture", "New picture notification", "A new picture has been posted in " . $me['username'] . "'s category, " . $category['name'] . "! Here is a link to it:\n\n" . get_full_path_to("show_picture.php?picture_id=" . $picture_id) . "\n\nTitle: {$title}\n\nCaption:\n{$caption}\n\nNote: this is an automatic email, please don't reply.");
show_message_redirect("Picture successfully uploaded", "show_category.php?category_id=" . $category['category_id']);
function get_unauthorized_users($db)
{
$result = try_mysql_query("SELECT * FROM users WHERE authorized='0'", $db);
$ret = array();
while ($this_result = mysql_fetch_assoc($result)) {
array_push($ret, $this_result);
}
mysql_free_result($result);
return $ret;
}
#
header('Pragma: no-cache');
require_once 'shared.php';
# Make a connection to the database
$db_read = get_db_read();
$db_write = get_db_write();
if (!$me) {
redirect("index.php");
}
if (isset($_POST['category']) == false) {
redirect("index.php");
}
$category = mysql_escape_string(htmlentities(trim($_POST['category'])));
$private = isset($_POST['private']) ? '1' : '0';
if (validate_category($category) == false) {
show_error_redirect_back("Please enter a valid category name (between 3 and {$max_length_category} characters)");
}
$result = try_mysql_query("SELECT * FROM categories WHERE name = '{$category}' AND user_id = '" . $me['user_id'] . "'", $db_read);
if (mysql_num_rows($result) > 0) {
show_error_redirect_back('Error: you already have a category with that name!');
}
try_mysql_query("INSERT INTO categories (user_id, name, private, date_created, last_updated, last_updated_public) VALUES (" . $me['user_id'] . ", '{$category}', '{$private}', NOW(), 0, 0)", $db_write);
$category_id = mysql_insert_id($db_write);
try_mysql_query("UPDATE users SET last_category='{$category_id}' WHERE user_id='" . $me['user_id'] . "'", $db_write);
show_message_redirect_back("Category successfully created!");
?>
# post_comment.php
# Post a comment on an image.
#
header('Pragma: no-cache');
require 'shared.php';
# Make a connection to the database
$db_read = get_db_read();
$db_write = get_db_write();
if (!$me) {
show_error_redirect_back("Please log in first");
}
if (isset($_POST['picture_id']) == false) {
show_error_redirect_back("Couldn't find picture id");
}
if (isset($_POST['comment']) == false) {
show_error_redirect_back("Couldn't find comment");
}
$comment = mysql_escape_string(nl2br(htmlentities(trim($_POST['comment']))));
$picture_id = $_POST['picture_id'];
if (validate_comment($comment) == false) {
show_error_redirect_back("Invalid comment. Comments have to be 0-{$max_length_comment} characters.");
}
if (is_numeric($picture_id) == false) {
show_error_redirect_back("Invalid category.");
}
try_mysql_query("INSERT INTO comments (user_id, picture_id, text, date_added) VALUES ('" . $me['user_id'] . "', '{$picture_id}', '{$comment}', NOW())", $db_write);
$user = get_user_from_picture_id($picture_id, $db_read);
if ($user['notify_comments'] == '1') {
smtp_send(array($user['email']), "OSPAP - New Comment", "New Comment Notification", "A new comment has been posted for one of your pictures! It was posted by " . $me['username'] . " and can be viewed here:\n" . get_full_path_to("show_picture.php?picture_id={$picture_id}") . "\n\nNote: this is an automatic email, please don't reply.");
}
show_message_redirect("Comment added", "show_picture.php?picture_id={$picture_id}#comments");
show_error_redirect_back("Please enter a username made up of 3 - 14 alpha-numeric characters");
}
if (validate_password($password) == false) {
show_error_redirect_back("Please enter a password that is at least 6 characters (it's for your own protection!)");
}
if (validate_email($email) == false) {
show_error_redirect_back("Please enter a valid email address");
}
# Check if the username is being used
$result = try_mysql_query("SELECT * FROM users WHERE username='******'", $db_read);
if (mysql_num_rows($result) > 0) {
show_error_redirect_back("Sorry, that username is already in use.");
}
mysql_free_result($result);
# Check if the email address is already used
$result = try_mysql_query("SELECT * FROM users WHERE email='" . $email . "'", $db_read);
if (mysql_num_rows($result) > 0) {
show_error_redirect_back("Sorry, that email address is already in use.");
}
mysql_free_result($result);
# Generate the salt and hash the password
$salt = generate_salt();
$hashed_password = hash_password($password, $salt);
try_mysql_query("INSERT INTO users (username, password, salt, email, date_registered, authorized, admin, last_updated, last_updated_public, notify_comments, notify_pictures) VALUES ('{$username}', '{$hashed_password}', '{$salt}', '{$email}', NOW(), '{$require_authorization}', '{$admin}', '0', '0', '{$notify_comments}', '{$notify_pictures}')", $db_write);
show_message_redirect_back("Account created! Please log in.");
?>
