function insert_user_comment_guestbook(&$comm, $key)
{
    global $conf, $user, $page;
    $comm = array_merge($comm, array('ip' => $_SERVER['REMOTE_ADDR'], 'agent' => $_SERVER['HTTP_USER_AGENT']));
    if (!$conf['guestbook']['comments_validation'] or is_admin()) {
        $comment_action = 'validate';
    } else {
        $comment_action = 'moderate';
    }
    // author
    if (!is_classic_user()) {
        if (empty($comm['author'])) {
            $page['errors'][] = l10n('Please enter your username');
            $comment_action = 'reject';
        } else {
            $comm['author_id'] = $conf['guest_id'];
            // if a guest try to use the name of an already existing user,
            // he must be rejected
            $query = '
SELECT COUNT(*) AS user_exists
  FROM ' . USERS_TABLE . '
  WHERE ' . $conf['user_fields']['username'] . " = '" . addslashes($comm['author']) . "'\n;";
            $row = pwg_db_fetch_assoc(pwg_query($query));
            if ($row['user_exists'] == 1) {
                $page['errors'][] = l10n('This login is already used by another user');
                $comment_action = 'reject';
            }
        }
    } else {
        $comm['author'] = addslashes($user['username']);
        $comm['author_id'] = $user['id'];
    }
    // content
    if (empty($comm['content'])) {
        $comment_action = 'reject';
    }
    // key
    if (!verify_ephemeral_key(@$key)) {
        $comment_action = 'reject';
        $_POST['cr'][] = 'key';
    }
    // email
    if (empty($comm['email']) and is_classic_user() and !empty($user['email'])) {
        $comm['email'] = $user['email'];
    } else {
        if (empty($comm['email']) and $conf['comments_email_mandatory']) {
            $page['errors'][] = l10n('mail address must be like xxx@yyy.eee (example : jack@altern.org)');
            $comment_action = 'reject';
        } else {
            if (!empty($comm['email']) and !email_check_format($comm['email'])) {
                $page['errors'][] = l10n('mail address must be like xxx@yyy.eee (example : jack@altern.org)');
                $comment_action = 'reject';
            }
        }
    }
    // website
    if (!empty($comm['website'])) {
        $comm['website'] = strip_tags($comm['website']);
        if (!preg_match('/^(https?:\\/\\/)/i', $comm['website'])) {
            $comm['website'] = 'http://' . $comm['website'];
        }
        if (!url_check_format($comm['website'])) {
            $page['errors'][] = l10n('invalid website address');
            $comment_action = 'reject';
        }
    }
    // anonymous id = ip address
    $ip_components = explode('.', $_SERVER["REMOTE_ADDR"]);
    if (count($ip_components) > 3) {
        array_pop($ip_components);
    }
    $comm['anonymous_id'] = implode('.', $ip_components);
    // comment validation and anti-spam
    if ($comment_action != 'reject' and $conf['anti-flood_time'] > 0 and !is_admin()) {
        $reference_date = pwg_db_get_flood_period_expression($conf['anti-flood_time']);
        $query = '
SELECT COUNT(1) FROM ' . GUESTBOOK_TABLE . '
  WHERE 
    date > ' . $reference_date . '
    AND author_id = ' . $comm['author_id'];
        if (!is_classic_user()) {
            $query .= '
      AND anonymous_id = "' . $comm['anonymous_id'] . '"';
        }
        $query .= '
;';
        list($counter) = pwg_db_fetch_row(pwg_query($query));
        if ($counter > 0) {
            $page['errors'][] = l10n('Anti-flood system : please wait for a moment before trying to post another comment');
            $comment_action = 'reject';
        }
    }
    // perform more spam check
    $comment_action = trigger_change('user_comment_check', $comment_action, $comm, 'guestbook');
    if ($comment_action != 'reject') {
        $query = '
INSERT INTO ' . GUESTBOOK_TABLE . '(
    author, 
    author_id, 
    anonymous_id,
    content, 
    date, 
    validated, 
    validation_date, 
    website, 
    rate, 
    email
  )
  VALUES (
    \'' . $comm['author'] . '\',
    ' . $comm['author_id'] . ',
    \'' . $comm['anonymous_id'] . '\',
    \'' . $comm['content'] . '\',
    NOW(),
    \'' . ($comment_action == 'validate' ? 'true' : 'false') . '\',
    ' . ($comment_action == 'validate' ? 'NOW()' : 'NULL') . ',
    ' . (!empty($comm['website']) ? '\'' . $comm['website'] . '\'' : 'NULL') . ',
    ' . (!empty($comm['rate']) ? $comm['rate'] : 'NULL') . ',
    ' . (!empty($comm['email']) ? '\'' . $comm['email'] . '\'' : 'NULL') . '
  )
';
        pwg_query($query);
        $comm['id'] = pwg_db_insert_id(GUESTBOOK_TABLE);
        if ($conf['guestbook']['email_admin_on_comment'] and 'validate' == $comment_action or $conf['guestbook']['email_admin_on_comment_validation'] and 'moderate' == $comment_action) {
            include_once PHPWG_ROOT_PATH . 'include/functions_mail.inc.php';
            $comment_url = add_url_params(GUESTBOOK_URL, array('comment_id' => $comm['id']));
            $keyargs_content = array(get_l10n_args('Author: %s', stripslashes($comm['author'])), get_l10n_args('Comment: %s', stripslashes($comm['content'])), get_l10n_args('', ''), get_l10n_args('Manage this user comment: %s', $comment_url));
            if ('moderate' == $comment_action) {
                $keyargs_content[] = get_l10n_args('', '');
                $keyargs_content[] = get_l10n_args('(!) This comment requires validation', '');
            }
            pwg_mail_notification_admins(get_l10n_args('Comment by %s', stripslashes($comm['author'])), $keyargs_content);
        }
    }
    return $comment_action;
}
Пример #2
0
/**
 * Tries to insert a user comment and returns action to perform.
 *
 * @param array &$comm
 * @param string $key secret key sent back to the browser
 * @param array &$infos output array of error messages
 * @return string validate, moderate, reject
 */
function insert_user_comment(&$comm, $key, &$infos)
{
    global $conf, $user;
    $comm = array_merge($comm, array('ip' => $_SERVER['REMOTE_ADDR'], 'agent' => $_SERVER['HTTP_USER_AGENT']));
    $infos = array();
    if (!$conf['comments_validation'] or is_admin()) {
        $comment_action = 'validate';
        //one of validate, moderate, reject
    } else {
        $comment_action = 'moderate';
        //one of validate, moderate, reject
    }
    // display author field if the user status is guest or generic
    if (!is_classic_user()) {
        if (empty($comm['author'])) {
            if ($conf['comments_author_mandatory']) {
                $infos[] = l10n('Username is mandatory');
                $comment_action = 'reject';
            }
            $comm['author'] = 'guest';
        }
        $comm['author_id'] = $conf['guest_id'];
        // if a guest try to use the name of an already existing user, he must be
        // rejected
        if ($comm['author'] != 'guest') {
            $query = '
SELECT COUNT(*) AS user_exists
  FROM ' . USERS_TABLE . '
  WHERE ' . $conf['user_fields']['username'] . " = '" . addslashes($comm['author']) . "'";
            $row = pwg_db_fetch_assoc(pwg_query($query));
            if ($row['user_exists'] == 1) {
                $infos[] = l10n('This login is already used by another user');
                $comment_action = 'reject';
            }
        }
    } else {
        $comm['author'] = addslashes($user['username']);
        $comm['author_id'] = $user['id'];
    }
    if (empty($comm['content'])) {
        // empty comment content
        $comment_action = 'reject';
    }
    if (!verify_ephemeral_key(@$key, $comm['image_id'])) {
        $comment_action = 'reject';
        $_POST['cr'][] = 'key';
        // rvelices: I use this outside to see how spam robots work
    }
    // website
    if (!empty($comm['website_url'])) {
        if (!$conf['comments_enable_website']) {
            // honeypot: if the field is disabled, it should be empty !
            $comment_action = 'reject';
            $_POST['cr'][] = 'website_url';
        } else {
            $comm['website_url'] = strip_tags($comm['website_url']);
            if (!preg_match('/^https?/i', $comm['website_url'])) {
                $comm['website_url'] = 'http://' . $comm['website_url'];
            }
            if (!url_check_format($comm['website_url'])) {
                $infos[] = l10n('Your website URL is invalid');
                $comment_action = 'reject';
            }
        }
    }
    // email
    if (empty($comm['email'])) {
        if (!empty($user['email'])) {
            $comm['email'] = $user['email'];
        } elseif ($conf['comments_email_mandatory']) {
            $infos[] = l10n('Email address is missing. Please specify an email address.');
            $comment_action = 'reject';
        }
    } elseif (!email_check_format($comm['email'])) {
        $infos[] = l10n('mail address must be like xxx@yyy.eee (example : jack@altern.org)');
        $comment_action = 'reject';
    }
    // anonymous id = ip address
    $ip_components = explode('.', $comm['ip']);
    if (count($ip_components) > 3) {
        array_pop($ip_components);
    }
    $anonymous_id = implode('.', $ip_components);
    if ($comment_action != 'reject' and $conf['anti-flood_time'] > 0 and !is_admin()) {
        // anti-flood system
        $reference_date = pwg_db_get_flood_period_expression($conf['anti-flood_time']);
        $query = '
SELECT count(1) FROM ' . COMMENTS_TABLE . '
  WHERE date > ' . $reference_date . '
    AND author_id = ' . $comm['author_id'];
        if (!is_classic_user()) {
            $query .= '
      AND anonymous_id LIKE "' . $anonymous_id . '.%"';
        }
        $query .= '
;';
        list($counter) = pwg_db_fetch_row(pwg_query($query));
        if ($counter > 0) {
            $infos[] = l10n('Anti-flood system : please wait for a moment before trying to post another comment');
            $comment_action = 'reject';
            $_POST['cr'][] = 'flood_time';
        }
    }
    // perform more spam check
    $comment_action = trigger_change('user_comment_check', $comment_action, $comm);
    if ($comment_action != 'reject') {
        $query = '
INSERT INTO ' . COMMENTS_TABLE . '
  (author, author_id, anonymous_id, content, date, validated, validation_date, image_id, website_url, email)
  VALUES (
    \'' . $comm['author'] . '\',
    ' . $comm['author_id'] . ',
    \'' . $comm['ip'] . '\',
    \'' . $comm['content'] . '\',
    NOW(),
    \'' . ($comment_action == 'validate' ? 'true' : 'false') . '\',
    ' . ($comment_action == 'validate' ? 'NOW()' : 'NULL') . ',
    ' . $comm['image_id'] . ',
    ' . (!empty($comm['website_url']) ? '\'' . $comm['website_url'] . '\'' : 'NULL') . ',
    ' . (!empty($comm['email']) ? '\'' . $comm['email'] . '\'' : 'NULL') . '
  )
';
        pwg_query($query);
        $comm['id'] = pwg_db_insert_id(COMMENTS_TABLE);
        invalidate_user_cache_nb_comments();
        if ($conf['email_admin_on_comment'] && 'validate' == $comment_action or $conf['email_admin_on_comment_validation'] and 'moderate' == $comment_action) {
            include_once PHPWG_ROOT_PATH . 'include/functions_mail.inc.php';
            $comment_url = get_absolute_root_url() . 'comments.php?comment_id=' . $comm['id'];
            $keyargs_content = array(get_l10n_args('Author: %s', stripslashes($comm['author'])), get_l10n_args('Email: %s', stripslashes($comm['email'])), get_l10n_args('Comment: %s', stripslashes($comm['content'])), get_l10n_args(''), get_l10n_args('Manage this user comment: %s', $comment_url));
            if ('moderate' == $comment_action) {
                $keyargs_content[] = get_l10n_args('(!) This comment requires validation');
            }
            pwg_mail_notification_admins(get_l10n_args('Comment by %s', stripslashes($comm['author'])), $keyargs_content);
        }
    }
    return $comment_action;
}
Пример #3
0
        if (is_admin()) {
            if ($row['validated'] != 'true') {
                $tpl_comment['U_VALIDATE'] = add_url_params($url_self, array('action' => 'validate_comment', 'comment_to_validate' => $row['id'], 'pwg_token' => get_pwg_token()));
            }
        }
        $template->append('comments', $tpl_comment);
    }
}
$show_add_comment_form = !is_a_guest() || $conf['guestbook']['guest_can_add'];
if (isset($edit_comment)) {
    $show_add_comment_form = false;
}
if ($show_add_comment_form) {
    foreach (array('content', 'author', 'website', 'email') as $el) {
        ${$el} = '';
        if ('reject' === @$comment_action and !empty($comm[$el])) {
            ${$el} = htmlspecialchars(stripslashes($comm[$el]));
        }
    }
    if (is_classic_user()) {
        $author = $user['username'];
        $email = $user['email'];
    }
    if (empty($conf['comments_email_mandatory'])) {
        $conf['comments_email_mandatory'] = false;
    }
    $template->assign('comment_add', array('F_ACTION' => $url_self, 'KEY' => get_ephemeral_key(3), 'CONTENT' => $content, 'IS_LOGGED' => is_classic_user(), 'AUTHOR' => $author, 'WEBSITE' => $website, 'EMAIL' => $email, 'ACTIVATE_RATING' => $conf['guestbook']['activate_rating'], 'EMAIL_MANDATORY' => $conf['comments_email_mandatory']));
}
$template->assign(array('GUESTBOOK_PATH' => GUESTBOOK_PATH, 'ABS_GUESTBOOK_PATH' => realpath(GUESTBOOK_PATH) . '/'));
$template->set_filename('guestbook', realpath(GUESTBOOK_PATH . 'template/guestbook.tpl'));
$template->assign_var_from_handle('CONTENT', 'guestbook');
Пример #4
0
                    $tpl_comment['PWG_TOKEN'] = get_pwg_token();
                    $tpl_comment['U_CANCEL'] = $url_self;
                }
            }
            if (is_admin()) {
                $tpl_comment['EMAIL'] = $email;
                if ($row['validated'] != 'true') {
                    $tpl_comment['U_VALIDATE'] = add_url_params($url_self, array('action' => 'validate_comment', 'comment_to_validate' => $row['id'], 'pwg_token' => get_pwg_token()));
                }
            }
            $template->append('comments', $tpl_comment);
        }
    }
    $show_add_comment_form = true;
    if (isset($edit_comment)) {
        $show_add_comment_form = false;
    }
    if (is_a_guest() and !$conf['comments_forall']) {
        $show_add_comment_form = false;
    }
    if ($show_add_comment_form) {
        $key = get_ephemeral_key(3, $page['image_id']);
        $tpl_var = array('F_ACTION' => $url_self, 'KEY' => $key, 'CONTENT' => '', 'SHOW_AUTHOR' => !is_classic_user(), 'AUTHOR_MANDATORY' => $conf['comments_author_mandatory'], 'AUTHOR' => '', 'WEBSITE_URL' => '', 'SHOW_EMAIL' => !is_classic_user() or empty($user['email']), 'EMAIL_MANDATORY' => $conf['comments_email_mandatory'], 'EMAIL' => '', 'SHOW_WEBSITE' => $conf['comments_enable_website']);
        if ('reject' == @$comment_action) {
            foreach (array('content', 'author', 'website_url', 'email') as $k) {
                $tpl_var[strtoupper($k)] = htmlspecialchars(stripslashes(@$_POST[$k]));
            }
        }
        $template->assign('comment_add', $tpl_var);
    }
}