$e->croak();
}
exit;
}
/**
*
* Add comment
*
*/
if ($_SERVER['REQUEST_METHOD'] == 'POST' && $do_action == 'add-comment' && $_POST['verification'] == $_SESSION['ccms_captcha'] && !empty($_SESSION['ccms_captcha'])) {
$error = '';
$commentName = getPOSTparam4DisplayHTML('name');
$commentEmail = getPOSTparam4Email('email');
$commentUrl = getPOSTparam4URL('website');
$commentRating = getPOSTparam4Number('rating', 3);
$commentContent = getPOSTparam4DisplayHTML('comment');
// no need for strip_tags here: 4DisplayHTML already encodes anything that might be dangerous in HTML entities so they show but don't hurt
$commentHost = $_SERVER['REMOTE_ADDR'];
if (!empty($commentName) && !empty($commentEmail) && !empty($commentRating) && !empty($commentContent) && !empty($commentHost)) {
$values = array();
// [i_a] make sure $values is an empty array to start with here
$values['page_id'] = MySQL::SQLValue($page_id, MySQL::SQLVALUE_NUMBER);
$values['commentName'] = MySQL::SQLValue($commentName, MySQL::SQLVALUE_TEXT);
$values['commentEmail'] = MySQL::SQLValue($commentEmail, MySQL::SQLVALUE_TEXT);
$values['commentUrl'] = MySQL::SQLValue($commentUrl, MySQL::SQLVALUE_TEXT);
$values['commentRate'] = MySQL::SQLValue($commentRating, MySQL::SQLVALUE_ENUMERATE);
// 'note the 'tricky' comment in the MySQL::SQLValue() member: we MUST have quotes around this number as mySQL enums are quoted :-(
$values['commentContent'] = MySQL::SQLValue($commentContent, MySQL::SQLVALUE_TEXT);
$values['commentHost'] = MySQL::SQLValue($commentHost, MySQL::SQLVALUE_TEXT);
// Insert new page into database
if (!$db->InsertRow($cfg['db_prefix'] . 'modcomment', $values)) {
}
/**
*
* Apply album to page
*
*/
if ($_SERVER['REQUEST_METHOD'] == 'POST' && $do_action == 'apply-album') {
FbX::SetFeedbackLocation('lightbox.Manage.php', 'page_id=' . $page_id);
try {
if (!empty($album_name)) {
FbX::SetFeedbackLocation('lightbox.Manage.php', 'page_id=' . $page_id . '&album=' . $album_name);
// Only if current user has the rights
if ($perm->is_level_okay('manageModLightbox', $_SESSION['ccms_userLevel'])) {
// Posted variables
$topage = getPOSTparam4Filename('albumtopage');
$description = getPOSTparam4DisplayHTML('description');
$infofile = BASE_PATH . '/media/albums/' . $album_name . '/info.txt';
if ($handle = fopen($infofile, 'w+')) {
if (fwrite($handle, $topage . "\r\n" . $description)) {
header('Location: ' . makeAbsoluteURI('lightbox.Manage.php?page_id=' . $page_id . '&album=' . $album_name . '&status=notice&msg=' . rawurlencode($ccms['lang']['backend']['settingssaved'])));
exit;
} else {
throw new FbX($ccms['lang']['system']['error_write']);
}
} else {
throw new FbX($ccms['lang']['system']['error_write']);
}
} else {
throw new FbX($ccms['lang']['auth']['featnotallowed']);
}
} else {
*
* Either INSERT or UPDATE news article
*
*/
if ($_SERVER['REQUEST_METHOD'] == 'POST' && $do_action == 'add-edit-news' && checkAuth()) {
FbX::SetFeedbackLocation('news.Manage.php');
try {
if (!empty($page_id)) {
FbX::SetFeedbackLocation('news.Manage.php', 'page_id=' . $page_id);
// Only if current user has the rights
if ($perm->is_level_okay('manageModNews', $_SESSION['ccms_userLevel'])) {
// Published
$newsAuthor = getPOSTparam4Number('newsAuthor');
$newsTitle = getPOSTparam4DisplayHTML('newsTitle');
$newsTeaser = getPOSTparam4DisplayHTML('newsTeaser');
$newsContent = getPOSTparam4DisplayHTML('newsContent');
$newsModified = getPOSTparam4DateTime('newsModified', time());
$newsPublished = getPOSTparam4boolean('newsPublished');
/* make sure empty news posts don't get through! front-end checking alone is NOT enough! */
if (!empty($page_id) && !empty($newsAuthor) && !empty($newsAuthor) && !empty($newsTitle) && strlen($newsTitle) >= 3 && !empty($newsTeaser) && !empty($newsContent)) {
// Set all the submitted variables
$values = array();
// [i_a] make sure $values is an empty array to start with here
$values["userID"] = MySQL::SQLValue($newsAuthor, MySQL::SQLVALUE_NUMBER);
$values["page_id"] = MySQL::SQLValue($page_id, MySQL::SQLVALUE_NUMBER);
$values["newsTitle"] = MySQL::SQLValue($newsTitle, MySQL::SQLVALUE_TEXT);
$values["newsTeaser"] = MySQL::SQLValue($newsTeaser, MySQL::SQLVALUE_TEXT);
$values["newsContent"] = MySQL::SQLValue($newsContent, MySQL::SQLVALUE_TEXT);
$values["newsModified"] = MySQL::SQLValue($newsModified, MySQL::SQLVALUE_DATETIME);
$values["newsPublished"] = MySQL::SQLValue($newsPublished, MySQL::SQLVALUE_BOOLEAN);
// Execute either INSERT or UPDATE based on $newsID
$owner = explode('||', strval($row->user_ids));
if ($perm->is_level_okay('managePageEditing', $_SESSION['ccms_userLevel']) && ($row->iscoding != 'Y' || $perm->is_level_okay('managePageCoding', $_SESSION['ccms_userLevel'])) && (!in_array($row->urlpage, $cfg['restrict']) || in_array($_SESSION['ccms_userID'], $owner))) {
$active = $row->published;
$name = $row->urlpage;
if ($row->iscoding == 'Y') {
// code pages: only for users with elevated rights, so we're okay with less filtering (none at all, in this case!)
$type = 'code';
$content = getPOSTparam4RAWCONTENT('content');
// accept ANYTHING: it's code, so can carry anything, including javascript and PHP code chunks!
} else {
$type = 'text';
$content = getPOSTparam4RAWHTML('content');
// [i_a] must be RAW HTML, no htmlspecialchars(). Filtering required if malicious input risk expected.
}
$filename = BASE_PATH . '/content/' . $name . '.php';
$keywords = getPOSTparam4DisplayHTML('keywords');
if (is_writable_ex($filename)) {
if (!($handle = fopen($filename, 'w'))) {
die('[ERR105] ' . $ccms['lang']['system']['error_openfile'] . ' (' . $filename . ').');
}
if (fwrite($handle, $content) === FALSE) {
die('[ERR106] ' . $ccms['lang']['system']['error_write'] . ' (' . $filename . ').');
}
fclose($handle);
} else {
die($ccms['lang']['system']['error_chmod']);
}
// Save keywords to database
$values = array();
// [i_a] make sure $values is an empty array to start with here
$values['keywords'] = MySQL::SQLValue($keywords, MySQL::SQLVALUE_TEXT);
