function check_login($username, $password, $remember = true) { $db = get_db_read(); # Get the salt and check if the user exists at the same time $result = try_mysql_query("SELECT salt FROM users WHERE username = '******'", $db); if (mysql_num_rows($result) != 1) { return null; } $row = mysql_fetch_assoc($result); $salt = $row['salt']; mysql_free_result($result); $hashed_password = hash_password($password, $salt); $ret = get_user_info($db, $username, $hashed_password); if ($ret == null) { return null; } if ($remember == true) { setcookie("username", $username, time() + 60 * 60 * 24 * 3000); setcookie("password", $hashed_password, time() + 60 * 60 * 24 * 3000); } $_SESSION["username"] = $username; return $ret; }
$pictures_result = try_mysql_query("SELECT * FROM pictures WHERE category_id='{$category_id}'", $db_read); while ($row = mysql_fetch_assoc($pictures_result)) { try_mysql_query("DELETE FROM comments WHERE picture_id='" . $pictures_result['picture_id'] . "'", $db_write); } mysql_free_result($pictures_result); try_mysql_query("DELETE FROM pictures WHERE category_id='{$category_id}'", $db_write); try_mysql_query("DELETE FROM categories WHERE category_id='{$category_id}'", $db_write); show_message_redirect("Category deleted", "show_user.php?user_id=" . $assoc['user_id']); } else { # The user is deleting a picture $picture_id = $_GET['picture_id']; if (is_numeric($picture_id) == false) { redirect_back(); } // Get the category $result = try_mysql_query("SELECT user_id,pictures.category_id FROM categories,pictures WHERE categories.category_id = pictures.category_id AND picture_id = {$picture_id}", $db_read); $assoc = mysql_fetch_assoc($result); mysql_free_result($result); if ($me['admin'] != 1 && $assoc['user_id'] != $me['user_id']) { show_error_redirect_back("Access denied"); } try_mysql_query("DELETE FROM pictures WHERE picture_id = '{$picture_id}'", $db_write); try_mysql_query("DELETE FROM comments WHERE picture_id = '{$picture_id}'", $db_write); show_message_redirect("Picture deleted", "show_category.php?category_id=" . $assoc['category_id']); } ?>
if ($action == 'authorize') { if (isset($user_id) == false) { show_error_redirect_back('No user_id specified'); } try_mysql_query("UPDATE users SET authorized='1' WHERE user_id='{$user_id}'", $db_write); show_message_redirect_back("User successfully authorized."); } else { if ($action == 'promote') { if (isset($user_id) == false) { show_error_redirect_back('No user_id specified'); } try_mysql_query("UPDATE users SET admin='1' WHERE user_id='{$user_id}'", $db_write); show_message_redirect_back("User successfully granted admin privilidges"); } else { if ($action == 'demote') { if (isset($user_id) == false) { show_error_redirect_back('No user_id specified'); } try_mysql_query("UPDATE users SET admin='0' WHERE user_id='{$user_id}'", $db_write); show_message_redirect_back("User successfully revoked admin privilidges"); } else { show_error_redirect_back("Unknown action"); } } } ?>
$title = mysql_escape_string(htmlentities(trim($_POST['title']))); $caption = mysql_escape_string(nl2br(htmlentities(trim($_POST['caption'])))); $category = get_category_by_category_id($_POST['category_id'], $db_read); if (validate_title($title) == false) { show_error_redirect_back("Invalid title. Titles have to be 0-{$max_length_title} characters."); } if (validate_comment($caption) == false) { show_error_redirect_back("Invalid caption. Captions have to be 0-{$max_length_comment} characters."); } # Make sure he's uploading to his own category $result = try_mysql_query("SELECT * FROM categories WHERE user_id='" . $me['user_id'] . "' AND category_id='" . $category['category_id'] . "'", $db_read); if (mysql_num_rows($result) == 0) { show_error_redirect_back("Invalid category."); } mysql_free_result($result); # Insert the new picture try_mysql_query("INSERT INTO pictures (category_id, title, filename, caption, date_added) VALUES ('" . $category['category_id'] . "', '{$title}', '{$image_filename}', '{$caption}', NOW())", $db_write); $picture_id = mysql_insert_id($db_write); # Update the las modified category (used for the default selection in the category combo) try_mysql_query("UPDATE users SET last_category='" . $category['category_id'] . "' WHERE user_id='" . $me['user_id'] . "'", $db_write); # Update the last modified time for the private user/category try_mysql_query("UPDATE users SET last_updated=NOW() WHERE user_id='" . $me['user_id'] . "'", $db_write); try_mysql_query("UPDATE categories SET last_updated=NOW() WHERE category_id='" . $category['category_id'] . "'", $db_write); # Set the last modified time for the public user/category if ($category['private'] != '1') { try_mysql_query("UPDATE users SET last_updated_public=NOW() WHERE user_id='" . $me['user_id'] . "'", $db_write); try_mysql_query("UPDATE categories SET last_updated_public=NOW() WHERE category_id='" . $category['category_id'] . "'", $db_write); } $user_ids = get_emails_notify_pictures($db_read); smtp_send($user_ids, "OSPAP - New Picture", "New picture notification", "A new picture has been posted in " . $me['username'] . "'s category, " . $category['name'] . "! Here is a link to it:\n\n" . get_full_path_to("show_picture.php?picture_id=" . $picture_id) . "\n\nTitle: {$title}\n\nCaption:\n{$caption}\n\nNote: this is an automatic email, please don't reply."); show_message_redirect("Picture successfully uploaded", "show_category.php?category_id=" . $category['category_id']);
function get_unauthorized_users($db) { $result = try_mysql_query("SELECT * FROM users WHERE authorized='0'", $db); $ret = array(); while ($this_result = mysql_fetch_assoc($result)) { array_push($ret, $this_result); } mysql_free_result($result); return $ret; }
# header('Pragma: no-cache'); require_once 'shared.php'; # Make a connection to the database $db_read = get_db_read(); $db_write = get_db_write(); if (!$me) { redirect("index.php"); } if (isset($_POST['category']) == false) { redirect("index.php"); } $category = mysql_escape_string(htmlentities(trim($_POST['category']))); $private = isset($_POST['private']) ? '1' : '0'; if (validate_category($category) == false) { show_error_redirect_back("Please enter a valid category name (between 3 and {$max_length_category} characters)"); } $result = try_mysql_query("SELECT * FROM categories WHERE name = '{$category}' AND user_id = '" . $me['user_id'] . "'", $db_read); if (mysql_num_rows($result) > 0) { show_error_redirect_back('Error: you already have a category with that name!'); } try_mysql_query("INSERT INTO categories (user_id, name, private, date_created, last_updated, last_updated_public) VALUES (" . $me['user_id'] . ", '{$category}', '{$private}', NOW(), 0, 0)", $db_write); $category_id = mysql_insert_id($db_write); try_mysql_query("UPDATE users SET last_category='{$category_id}' WHERE user_id='" . $me['user_id'] . "'", $db_write); show_message_redirect_back("Category successfully created!"); ?>
# post_comment.php # Post a comment on an image. # header('Pragma: no-cache'); require 'shared.php'; # Make a connection to the database $db_read = get_db_read(); $db_write = get_db_write(); if (!$me) { show_error_redirect_back("Please log in first"); } if (isset($_POST['picture_id']) == false) { show_error_redirect_back("Couldn't find picture id"); } if (isset($_POST['comment']) == false) { show_error_redirect_back("Couldn't find comment"); } $comment = mysql_escape_string(nl2br(htmlentities(trim($_POST['comment'])))); $picture_id = $_POST['picture_id']; if (validate_comment($comment) == false) { show_error_redirect_back("Invalid comment. Comments have to be 0-{$max_length_comment} characters."); } if (is_numeric($picture_id) == false) { show_error_redirect_back("Invalid category."); } try_mysql_query("INSERT INTO comments (user_id, picture_id, text, date_added) VALUES ('" . $me['user_id'] . "', '{$picture_id}', '{$comment}', NOW())", $db_write); $user = get_user_from_picture_id($picture_id, $db_read); if ($user['notify_comments'] == '1') { smtp_send(array($user['email']), "OSPAP - New Comment", "New Comment Notification", "A new comment has been posted for one of your pictures! It was posted by " . $me['username'] . " and can be viewed here:\n" . get_full_path_to("show_picture.php?picture_id={$picture_id}") . "\n\nNote: this is an automatic email, please don't reply."); } show_message_redirect("Comment added", "show_picture.php?picture_id={$picture_id}#comments");
show_error_redirect_back("Please enter a username made up of 3 - 14 alpha-numeric characters"); } if (validate_password($password) == false) { show_error_redirect_back("Please enter a password that is at least 6 characters (it's for your own protection!)"); } if (validate_email($email) == false) { show_error_redirect_back("Please enter a valid email address"); } # Check if the username is being used $result = try_mysql_query("SELECT * FROM users WHERE username='******'", $db_read); if (mysql_num_rows($result) > 0) { show_error_redirect_back("Sorry, that username is already in use."); } mysql_free_result($result); # Check if the email address is already used $result = try_mysql_query("SELECT * FROM users WHERE email='" . $email . "'", $db_read); if (mysql_num_rows($result) > 0) { show_error_redirect_back("Sorry, that email address is already in use."); } mysql_free_result($result); # Generate the salt and hash the password $salt = generate_salt(); $hashed_password = hash_password($password, $salt); try_mysql_query("INSERT INTO users (username, password, salt, email, date_registered, authorized, admin, last_updated, last_updated_public, notify_comments, notify_pictures) VALUES ('{$username}', '{$hashed_password}', '{$salt}', '{$email}', NOW(), '{$require_authorization}', '{$admin}', '0', '0', '{$notify_comments}', '{$notify_pictures}')", $db_write); show_message_redirect_back("Account created! Please log in."); ?>