forked from Shift2Bikes/shiftcal
-
Notifications
You must be signed in to change notification settings - Fork 0
/
calforum.php
383 lines (368 loc) · 14.7 KB
/
calforum.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
<?php
# This PHP script is used both for viewing a given event's forum, and
# optionally for adding a new message to that forum.
#
# Parameters are:
#
# id= Id used by random public users to select the event whose
# forum should be shown/added to.
#
# edit= Obscured id, used by the organizer or "admin" to select
# the event whose forum should be shown/added to.
#
# delmsg= MsgId of a message to be deleted. Only the event organizer
# or calendar administrator can do this; i.e., you must also
# supply the edit=... parameter for the message's obscured
# event id.
#
# name= When adding a message, this is the name of the submitter.
#
# subject= When adding a message, this is the message's subject line.
#
# msg= When adding a message, this is the body of the message.
#
# address= This is a bogus input. In the message form, this is an
# <input type=text ...> which is hidden via CSS. Message
# submissions from human users should therefore always have
# an empty address field. Hopefully robots will mistakenly
# fill in that field, though, giving us a way to detect them
# and block their spam.
include("include/common.php");
# Make sure we have an "id" or "edit" parameter, identifying the event
if ($_REQUEST["edit"] != "") {
$id = unobscure($_REQUEST["edit"]);
$organizer = 1;
} else {
$id = $_REQUEST["id"];
$organizer = 0;
}
if ($id == "") die("You must pass an 'id' parameter");
# Also check whether we're logged in as the administrator
if ($_COOKIE["havemore"] == "bikefun")
$admin = 1;
else
$admin = 0;
# Connect to the server
$conn = mysql_connect(DBHOST, DBUSER, DBPASSWORD) or die("Can't connect to MySQL: ".mysql_error());
mysql_select_db(DBDATABASE, $conn);
# Fetch info about this event
$result = mysql_query("SELECT id, descr, title, tinytitle, dates, eventtime, name, email, emailforum, image FROM calevent WHERE id=\"${id}\"", $conn) or die(mysql_error());
if (mysql_num_rows($result) == 0) die("Event #$id not found");
$event = mysql_fetch_array($result);
# Look up the date of the event
$result = mysql_query("SELECT eventdate FROM caldaily WHERE id=$id AND eventstatus<>\"C\" AND eventstatus<>\"E\" AND eventstatus<>\"S\" AND eventdate>=\"".date("Y-m-d")."\" ORDER BY eventdate", $conn);
if ($result === FALSE || mysql_num_rows($result) == 0)
$result = mysql_query("SELECT eventdate FROM caldaily WHERE id=$id AND eventstatus<>\"C\" AND eventstatus<>\"E\" AND eventstatus<>\"S\" ORDER BY eventdate DESC", $conn);
if ($result === FALSE || mysql_num_rows($result) == 0)
$date = date('Y-m-d');
else {
$date = mysql_fetch_array($result);
$date = $date['eventdate'];
}
// prepare some variables for the header.
$event_title = $event['title'] . ' - ' . date("F jS, Y", strtotime($date)) . ' | S H I F T to bikes!';
$event_image = "eventimages/" . $event['id']. "." . pathinfo($event['image'])['extension'];
include("include/header-calforum.php");
?>
<?php
# This computes the checksum. There's also a JavaScript version of
# it down below. The idea is that a human using a real browser will
# have a checksum computed in a compatible way, while a robot that
# is merely faking it will have no checksum. For the sake of
# cross-platform compatibility, we only sum up the ASCII letters.
function checksum($str)
{
$sum = 0;
for ($i = 0; $i < strlen($str); $i++) {
$ch = ord(substr($str, $i));
if (($ch >= 65 && $ch <= 90) || ($ch >= 97 && $ch <= 122))
$sum += $ch;
}
return $sum;
}
?>
<script type="text/javascript">
function checksum(str)
{
sum = 0;
for (i = 0; i < str.length; i++) {
ch = str.charCodeAt(i);
if ((ch >= 65 && ch <= 90) || (ch >= 97 && ch <= 122))
sum += ch;
}
return sum;
}
</script>
<?php
# Do we have parameters for a new message?
if ($admin)
$name = 'Shift Calendar Crew';
else if ($organizer)
$name = $event['name'];
else
$name = $_REQUEST['name'];
$subject = safeinput($_REQUEST['subject']);
$msg = safeinput($_REQUEST['msg']);
if ($name != "" && $subject != "" && $_REQUEST["msg"] != "") {
# Guard against spam.
$spamdict = array("http","online","pill","drug","tablet","antidepression","medication","prescription","money","viagra","viagara","vi@gra","oxycontin","oxycodone","puppy","veterinary","pharmacy","gambling","casino", "cialis", "ambien", "bbw", "xanax", "rx", "valium");
$spamminess = 0;
$combined = "$name$subject$msg";
if (preg_match("/<[Aa][[:space:]]/", $combined))
$spamminess += 100;
$nonascii = preg_split("/[^\012-\176]/", $combined);
$spamminess += count($nonascii) * 300 / strlen($combined);
foreach($spamdict as $spamword) {
$found = stripos($combined, $spamword);
while ($found !== FALSE) {
$spamminess += 60;
$found = stripos($combined, $spamword, $found + 1);
}
}
print "<!-- spamminess=$spamminess -->\n";
if ($spamminess >= 100)
print "<blink><font color=red>Your spammish-looking message is rejected</font></blink>\n";
else if (checksum($_REQUEST['msg']) != $_REQUEST['checksum'])
print "<blink><font color=red>Your miscoded message is rejected</font></blink>\n";
else if ($_REQUEST['address'])
print "<blink><font color=red>Your robot-generated message is rejected</font></blink>\n";
else {
# Guard against duplicate messages
$result = mysql_query("SELECT msgid FROM calforum WHERE id=\"${id}\" AND name=\"$name\" AND subject=\"$subject\" AND msg=\"$msg\"", $conn) or die(mysql_error());
if (mysql_num_rows($result) > 0)
print "<blink><font color=red>Duplicate message rejected</font></blink>\n";
else {
# Add this message
$sql = "INSERT INTO calforum (";
$values = " VALUES (";
$sql .= "id,"; $values .= '"'.$id.'",';
$sql .= "organizer,"; $values .= '"'.($organizer||$admin).'",';
$sql .= "name,"; $values .= "\"$name\",";
$sql .= "subject,"; $values .= "\"$subject\",";
$sql .= "msg)"; $values .= "\"$msg\")";
$sql = $sql.$values;
mysql_query($sql, $conn) or die(mysql_error());
# Also email a copy to the event organizer, unless we are
# the event organizer
if ((!$organizer || $admin) && $event["emailforum"]) {
# Construct a URL for the PP calendar pages
$url = "http://";
if ($_SERVER[HTTP_HOST])
$url .= $_SERVER[HTTP_HOST];
else
$url .= $_SERVER[SERVER_NAME];
$url .= dirname($_SERVER[REQUEST_URI]);
# Find the obscured version of the event ID used by
# the web site to recognize the event organizer.
$ob = obscure($id);
# Construct a message body
$msgbody = "The following was posted to the forum for your\n";
$msgbody .= $event["tinytitle"]." event.\n";
$msgbody .= "See the bottom for instructions on how to use the forum.\n";
$msgbody .= "-------------------------------------------------------------\n";
$msgbody .= "$name wrote:\n";
$msgbody .= wordwrap(stripslashes($msg), 60)."\n";
$msgbody .= "-------------------------------------------------------------\n";
$msgbody .= "The forum tries to highlight message from the event organizer\n";
$msgbody .= "differently from other user's message. For this to work right\n";
$msgbody .= "you must enter the forum via the following link...\n";
$msgbody .= "\n";
$msgbody .= " COMPOSE MESSAGE: $url/calforum.php?edit=$ob\n";
$msgbody .= "\n";
$msgbody .= "If you don't want to receive forum messages via email anymore,\n";
$msgbody .= "you'll need to edit your event to turn off the \"send forum\n";
$msgbody .= "messages here\" checkbox. Do that at...\n";
$msgbody .= "\n";
$msgbody .= " EDIT EVENT: $url/calform.php?edit=$ob\n";
# Send it
$to = $event["email"];
$subject = "[Shift Cal ${event[tinytitle]}] ".stripslashes($subject);
$headers = "From: ".SHIFTEMAIL."\r\n"
. "List-Help: <$url/calform.php?edit=$ob>\r\n"
. "List-Post: <$url/calforum.php?edit=$ob>";
mail($to, $subject, $msgbody, $headers);
}
}
}
}
# Do we have parameters for deleting a message?
if (($admin || $organizer) && $_REQUEST["delmsg"])
{
$sql = "DELETE FROM calforum WHERE id=$id AND msgid=$_REQUEST[delmsg]";
mysql_query($sql, $conn) or die(mysql_error());
}
?>
<style type="text/css">
<?php
print " dt { background: url(".IMAGES."/oocorner.gif) no-repeat; }\n";
print " div.msglist { border: inset #ffc969; padding: 2; background: url(".IMAGES."/owall.gif); }\n";
print " div.organizer { background: url(".IMAGES."/owall.gif); }\n";
?>
div.hr {font-size: 1; height:3; margin: 0; width: 100%; background-color: #ff9a00;}
div.msg { background: #ffc969; }
div.event { text-align: left; width: 80%; padding: 10px; background-color: #ff9a00; border: groove #ff9a00; }
dt.organizer { font-style: italic; }
dd.organizer { font-style: italic; }
dt { font-size: larger; font-weight: bold;}
dd { margin-left: 50px; margin-bottom: 10px; }
dl { background: #ffc969; margin: 5px; }
td.lbl { vertical-align: top; }
td.in {background: #ffe880; }
input.subject { font-size: 20; font-weight: bold; }
</style>
<script type="text/javascript">
/**/
function checkpost(form)
{
if (form.name.value == "" ) {
alert("The name field is required.\nIf you aren't comfortable giving\nyour real name, then make one up.");
form.name.focus();
return false;
}
if (form.subject.value == "") {
alert("The subject field is required.");
form.subject.focus();
return false;
}
if (form.msg.value == "") {
alert("The body shouldn't be empty.\nAt the very least, it should\ncontain the same text as the subject.");
form.msg.focus();
return false;
}
//alert("name="+form.name.value+"\nsubject="+form.subject.value+"\nmsg="+form.msg.value);
// Compute the checksum of the body
form.checksum.value = checksum(form.msg.value);
return true;
}
</script>
<div id="content" class="content">
<?php
# Output the basic information about the event
print "<h1>Forum for ".htmlspecialchars($event["tinytitle"])."</h1>\n";
print "<center>\n";
print "<div class=event>\n";
print " <span style=\"font-size:large; font-weight: bolder;\">".htmlspecialchars($event["title"])."</span></br>\n";
print " <strong> ${event[dates]}, ".hmmpm($event["eventtime"])."</strong>\n";
print " <br>".htmldescription($event["descr"])."\n";
print "</div>\n";
print "</center>\n";
?>
<center>
<?php
print "<button onClick=\"window.location.replace('".viewurl($date, $id)."');\">View Calendar</button>\n";
if ($organizer || $admin)
print "<button onClick=\"window.location.replace('calform.php?edit=".obscure($id)."');\">Edit Event</button>\n";
if ($admin)
print "<button onClick=\"window.location.replace('admin.php');\">Administration Menu</button>\n";
?>
</center>
<hr>
<?php
# Output the forum messages
$result = mysql_query("SELECT * FROM calforum WHERE id=\"${id}\" ORDER BY modified", $conn) or die(mysql_error());
if (mysql_num_rows($result) == 0)
print "<center><h2><em>No messages yet</em></h2></center>\n";
else {
print "<center>Older messages at top, newer messages at bottom</center>\n";
print "<div class=msglist><dl>\n";
while ($record = mysql_fetch_array($result)) {
# Format the timestamp -- varies with SQL version
if (strlen($record["modified"]) == 14) {
# older versions of MySQL use YYYYMMDDhhmmss format
$modified = substr($record["modified"], 0, 4) . "-"
. substr($record["modified"], 4, 2) . "-"
. substr($record["modified"], 6, 2) . " "
. substr($record["modified"], 8, 2) . ":"
. substr($record["modified"], 10, 2) . ":"
. substr($record["modified"], 12, 2);
} else {
# newer versions of MySQL use YYYY-MM-DD hh:mm:ss format,
# but (on Thinkhost at least) the timezone is wrong so
# we need to tweak the hour.
$hh = substr($record["modified"], 11, 2);
if ($hh >= TZTWEAK)
$hh -= TZTWEAK;
$modified = substr($record["modified"], 0, 11)
. $hh
. substr($record["modified"], 13);
}
print "<div class=hr></div>\n";
if ($record["organizer"])
print "<div class=organizer>\n<dt class=organizer>";
else
print "<div class=msg>\n<dt>";
print "<font size=\"-2\">".htmlspecialchars($record["name"])." ($modified)</font><br>\n";
print htmlspecialchars($record["subject"])."\n";
if ($organizer || $admin) {
print "<a onClick=\"return confirm('Do you really want to delete this message?');\" href=\"calforum.php?edit=".obscure($record["id"])."&delmsg=".$record["msgid"]."\">\n";
print " <img border=0 src=\"images/forumdel.gif\" alt=\"Delete\" title=\"Delete this message\">\n";
print "</a>\n";
}
print "</dt>\n";
if ($record["organizer"])
print "<dd class=organizer>";
else
print "<dd>";
print htmldescription($record["msg"])."</dd>\n";
print "</div>\n";
}
print "</dl></div>\n";
print "<center>Older messages at top, newer messages at bottom</center>\n";
}
?>
<hr>
<center>
To post a message, fill in the following then click the "Send Message" button.
<br>Messages that are off-topic, rude, or otherwise inappropriate may be deleted.
<br><font color=red>*</font> All fields are required.
<form id="post" action="calforum.php" method="POST" onSubmit="return checkpost(this);">
<?php
if ($organizer)
print " <input type=hidden name=edit value=\"".obscure($id)."\">\n";
else
print " <input type=hidden name=id value=\"$id\">\n";
print " <table cellpadding=1 border=1 background=\"".IMAGES."/owall.gif\">\n";
?>
<tr>
<td class=lbl><font color=red>*</font>Name:</td>
<td class=in>
<?php
if ($admin)
print " <input type=text name=name size=20 value=\"".htmlspecialchars($name)."\" disabled> (You came here via the <a href=\"admin.php\">admin</a> page)</td>\n";
else if ($organizer)
print " <input type=text name=name size=20 value=\"".htmlspecialchars($name)."\" disabled> (You are the event organizer)</td>\n";
else
print " <input type=text name=name size=20> (If you're shy, invent a nickname)</td>\n";
?>
<input type=text name="address" style="display:none">
<input type=hidden name="checksum">
</tr>
<tr>
<td class=lbl><font color=red>*</font>Subject:</td>
<td class=in><input type=text name=subject class=subject size=40></td>
</tr>
<tr>
<td class=lbl><font color=red>*</font>Body:</td>
<td class=in><textarea name=msg rows=5 cols=60></textarea></td>
</tr>
<tr>
<td class=lbl colspan=2 align=center>
<input type=submit value="Send Message">
</td>
</tr>
</table>
</form>
<script type="text/javascript" language="JavaScript">
<?php
if ($admin || $organizer)
print "document.forms.post.subject.focus();\n";
else
print "document.forms.post.name.focus();\n";
?>
</script>
</center>
</div>
<?php
include(INCLUDES."/footer.html");
#ex:se sw=4:
?>