function Vote($post_ID, $user_ID, $type) { global $wpdb; //Prevents SQL injection $p_ID = $wpdb->escape($post_ID); $u_ID = $wpdb->escape($user_ID); //Create entries if not existant SetPost($p_ID); SetUser($u_ID); //Gets the votes $votes_raw = $wpdb->get_var("SELECT votes FROM " . $wpdb->prefix . "votes WHERE post='" . $p_ID . "'"); $sinks_raw = $wpdb->get_var("SELECT usersinks FROM " . $wpdb->prefix . "votes WHERE post='" . $p_ID . "'"); $uservotes_raw = $wpdb->get_var("SELECT votes FROM " . $wpdb->prefix . "votes_users WHERE user='******'"); $usersinks_raw = $wpdb->get_var("SELECT sinks FROM " . $wpdb->prefix . "votes_users WHERE user='******'"); //Gets the votes in array form $votes = explode(",", $votes_raw); $sinks = explode(",", $sinks_raw); $uservotes = explode(",", $uservotes_raw); $usersinks = explode(",", $usersinks_raw); //Check if user voted if (!UserVoted($post_ID, $user_ID)) { //user hasn't vote, so the script allows the user to vote if ($type != 'sink') { //Add vote to array $user_var[0] = $u_ID; $post_var[0] = $p_ID; $votes_result = array_merge($votes, $user_var); $votes_result_raw = implode(",", $votes_result); $uservotes_result = array_merge($uservotes, $post_var); $uservotes_result_raw = implode(",", $uservotes_result); $sinks_result_raw = $sinks_raw; $usersinks_result_raw = $usersinks_raw; } else { //Add sink to array $user_var[0] = $u_ID; $post_var[0] = $p_ID; $sinks_result = array_merge($sinks, $user_var); $sinks_result_raw = implode(",", $sinks_result); $usersinks_result = array_merge($usersinks, $post_var); $usersinks_result_raw = implode(",", $usersinks_result); $votes_result_raw = $votes_raw; $uservotes_result_raw = $votesinks_raw; } //Prevents SQL injection $votes_result_sql = $wpdb->escape($votes_result_raw); $sinks_result_sql = $wpdb->escape($sinks_result_raw); $uservotes_result_sql = $wpdb->escape($uservotes_result_raw); $usersinks_result_sql = $wpdb->escape($usersinks_result_raw); //Update votes $wpdb->query("UPDATE " . $wpdb->prefix . "votes SET votes='" . $votes_result_sql . "' WHERE post='" . $p_ID . "'"); $wpdb->query("UPDATE " . $wpdb->prefix . "votes SET usersinks='" . $sinks_result_sql . "' WHERE post='" . $p_ID . "'"); $wpdb->query("UPDATE " . $wpdb->prefix . "votes_users SET votes='" . $uservotes_result_sql . "' WHERE user='******'"); $wpdb->query("UPDATE " . $wpdb->prefix . "votes_users SET sinks='" . $usersinks_result_sql . "' WHERE user='******'"); $result = 'true'; } else { //The user voted, thus the script will not update the votes in the article $result = 'false'; } return $result; //returns '' on failure, returns 'true' if votes were casted, returns 'false' if user already casted a vote }
function Vote($post_ID, $user_ID, $type) { global $wpdb; // this shit has prevent sql injection but not the login check. :@ and 49.721 sites use this crap? if (!current_user_can('read')) { return false; } //Prevents SQL injection $p_ID = $wpdb->escape($post_ID); $u_ID = $wpdb->escape($user_ID); //Create entries if not existant SetPost($p_ID); SetUser($u_ID); //Gets the votes $votes_raw = $wpdb->get_var("SELECT votes FROM " . $wpdb->prefix . "votes WHERE post='" . $p_ID . "'"); $sinks_raw = $wpdb->get_var("SELECT usersinks FROM " . $wpdb->prefix . "votes WHERE post='" . $p_ID . "'"); $uservotes_raw = $wpdb->get_var("SELECT votes FROM " . $wpdb->prefix . "votes_users WHERE user='******'"); $usersinks_raw = $wpdb->get_var("SELECT sinks FROM " . $wpdb->prefix . "votes_users WHERE user='******'"); //Gets the votes in array form $votes = explode(",", $votes_raw); $sinks = explode(",", $sinks_raw); $uservotes = explode(",", $uservotes_raw); $usersinks = explode(",", $usersinks_raw); //Check if user voted if (!UserVoted($post_ID, $user_ID)) { //user hasn't vote, so the script allows the user to vote if ($type != 'sink') { //Add vote to array $user_var[0] = $u_ID; $post_var[0] = $p_ID; $votes_result = array_merge($votes, $user_var); $votes_result_raw = implode(",", $votes_result); $uservotes_result = array_merge($uservotes, $post_var); $uservotes_result_raw = implode(",", $uservotes_result); $sinks_result_raw = $sinks_raw; $usersinks_result_raw = $usersinks_raw; } else { //Add sink to array $user_var[0] = $u_ID; $post_var[0] = $p_ID; $sinks_result = array_merge($sinks, $user_var); $sinks_result_raw = implode(",", $sinks_result); $usersinks_result = array_merge($usersinks, $post_var); $usersinks_result_raw = implode(",", $usersinks_result); $votes_result_raw = $votes_raw; $uservotes_result_raw = $votesinks_raw; } //Prevents SQL injection $votes_result_sql = $wpdb->escape($votes_result_raw); $sinks_result_sql = $wpdb->escape($sinks_result_raw); $uservotes_result_sql = $wpdb->escape($uservotes_result_raw); $usersinks_result_sql = $wpdb->escape($usersinks_result_raw); //Update votes $wpdb->query("UPDATE " . $wpdb->prefix . "votes SET votes='" . $votes_result_sql . "' WHERE post='" . $p_ID . "'"); $wpdb->query("UPDATE " . $wpdb->prefix . "votes SET usersinks='" . $sinks_result_sql . "' WHERE post='" . $p_ID . "'"); $wpdb->query("UPDATE " . $wpdb->prefix . "votes_users SET votes='" . $uservotes_result_sql . "' WHERE user='******'"); $wpdb->query("UPDATE " . $wpdb->prefix . "votes_users SET sinks='" . $usersinks_result_sql . "' WHERE user='******'"); // can't fix much in this crap, so just adding GetVote as a quick hack to add the vote count to post meta $result = GetVotes($post_ID); update_post_meta($post_ID, 'votes', $result); } else { //The user voted, thus the script will not update the votes in the article //$result = 'false'; // wtf? 'false'? // return votes count :) $result = GetVotes($post_ID); } return $result; //returns '' on failure, returns 'true' if votes were casted, returns 'false' if user already casted a vote }