public function addcomment()
{
if ('POST' != $_SERVER['REQUEST_METHOD']) {
//这里做一个csrf攻击的防范,当然还可以加Referer的验证,如果要最安全还是得用token令牌
header('Allow: POST');
header('HTTP/1.1 405 Method Not Allowed');
header('Content-Type: text/plain');
die('Illegal request!');
}
$fields = array();
$fields['contents'] = isset($_POST['comment']) ? trim($_POST['comment']) : null;
$fields['cid'] = $tomail = isset($_POST['comment_parent']) ? trim($_POST['comment_parent']) : null;
$fields['aid'] = isset($_POST['comment_post_ID']) ? intval($_POST['comment_post_ID']) : null;
$fields['nickname'] = isset($_POST['author']) ? trim(strip_tags($_POST['author'])) : null;
$fields['email'] = isset($_POST['email']) ? trim($_POST['email']) : null;
$fields['website'] = isset($_POST['url']) ? trim($_POST['url']) : null;
$fields['ctime'] = time();
$fields['ip'] = Request::getClientIP();
if (6 > strlen($fields['email']) || '' == $fields['nickname']) {
AjaxError('请填写昵称和邮箱!');
}
if (!Is_email($fields['email'])) {
AjaxError('请填写有效的邮箱地址!');
}
if ('' == $fields['contents']) {
AjaxError('请写点评论!');
}
$comment = self::$models->Comment;
//$comment->IpLimit($fields['ip']); //防止评论灌水攻击
$comment->SelfXssattack($fields['contents']);
//防止Xss攻击
if (strstr($fields['cid'], '-')) {
$parents = explode('-', $fields['cid']);
$fields['cid'] = $parents[0];
$tomail = $parents[1];
$commentp = $comment->getOneComment('id', $tomail);
$fields['parent'] = $commentp ? $commentp['id'] . ',' . $commentp['nickname'] : '';
$fidname = '<a href="#comment-' . $commentp['id'] . '" rel="nofollow" class="cute">@' . $commentp['nickname'] . '</a>';
} elseif (!empty($fields['cid'])) {
$commentp = $comment->getOneComment('id', $fields['cid']);
$fields['parent'] = $commentp ? $commentp['id'] . ',' . $commentp['nickname'] : '';
$fidname = '<a href="#comment-' . $commentp['id'] . '" rel="nofollow" class="cute">@' . $commentp['nickname'] . '</a>';
} else {
$fields['parent'] = '';
$fidname = '';
}
$result = $comment->InsertComment($fields);
if (!$result) {
AjaxError('评论添加失败,多次失败请联系站长!');
} else {
$comment->Ifuser($fields['nickname'], $fields['email'], $fields['website']);
//记录游客信息
if (EMAIL_SENT_FOR_REPLY && $fields['cid'] > 0 && !empty($commentp)) {
$comment->SendMail(self::$models->SmtpMail, $fields['contents'], $commentp);
}
//邮件
$toid = empty($commentp) ? '#' : $commentp['id'];
echo '<li class="comment even thread-even depth-1 clearfix" id="comment-' . $toid . '><span class="comt-f"></span> ';
echo ' <div class="c-avatar"><img alt=\'\' src=\'' . IMG_TXING . '\' class=\'avatar avatar-50 photo\' height=\'50\' width=\'50\' /><div class="c-main" id="div-comment-' . $toid . '>';
echo ' <p style="color:#8c8c8c;"><span class="c-author">' . $fields['nickname'] . '</span></p><p>' . $fidname . EmojiH($fields['contents']) . '</p>';
echo ' <div class="c-meta">' . wordTime($fields['ctime']) . ' (' . date('Y-m-d H:i:s', $fields['ctime']) . ')';
echo '</div></div></div></li>';
}
}
" class='avatar avatar-50 photo' height='50' width='50' />
<a href="<?php
echo Route('articleshow/' . $comment['aid']) . "#comment-" . $comment['id'];
?>
" title="悄悄告诉你,这个是基佬">
<strong><?php
echo $comment['nickname'];
?>
</strong>
</a>
<span class="separator">・</span><?php
echo wordTime($comment['ctime']);
?>
</div>
<div class="widgent_ui_comments_content"><?php
echo EmojiH($comment['contents']);
?>
</div>
<div class="widget_ui_comments_title">
<p>评论于<a href="<?php
echo Route('articleshow/' . $comment['aid']);
?>
"><?php
echo $comment['title'];
?>
</a></p>
</div>
</li>
<?php
}
?>
<div class="c-main" id="div-comment-<?php
echo $son['id'];
?>
"><p class="jiyou" style="color:#8c8c8c;margin-bottom:6px;">
<span class="c-author"><?php
echo $son['nickname'];
?>
</span>
<?php
if ($son['email'] == '*****@*****.**') {
echo "<a title=\"Alice博客管理员\"><img src=\"http://www.liaosam.com/wp-content/themes/liaosam/images/2.png\" style=\"margin-top: -3px;\" class=\"box-hide box-show\"></a>";
}
?>
<div style="margin:8px 0 4px;">
<?php
echo $son['pid'] ? "<a href=\"#comment-" . $son['pid'] . "\" rel=\"nofollow\" class=\"cute\">@" . $son['pnickname'] . "</a>" . EmojiH($son['contents']) : EmojiH($son['contents']);
?>
</div>
<div class="c-meta"><?php
echo wordTime($son['ctime']) . "<a class='comment-reply-link' href='/articleshow/" . $son['aid'] . "?replytocom=" . $son['id'] . "#respond' onclick='return addComment.moveForm(\"div-comment-" . $son['id'] . "\", \"" . $comment['id'] . '-' . $son['id'] . "\", \"respond\", \"" . $son['aid'] . "\")'>回复</a>";
?>
</div>
</div>
</div>
</li><!-- #comment-## -->
<?php
}
echo "</ul>";
}
echo "</li>";
}
