$caption = mysql_escape_string(nl2br(htmlentities(trim($_POST['caption'])))); $category = get_category_by_category_id($_POST['category_id'], $db_read); if (validate_title($title) == false) { show_error_redirect_back("Invalid title. Titles have to be 0-{$max_length_title} characters."); } if (validate_comment($caption) == false) { show_error_redirect_back("Invalid caption. Captions have to be 0-{$max_length_comment} characters."); } # Make sure he's uploading to his own category $result = try_mysql_query("SELECT * FROM categories WHERE user_id='" . $me['user_id'] . "' AND category_id='" . $category['category_id'] . "'", $db_read); if (mysql_num_rows($result) == 0) { show_error_redirect_back("Invalid category."); } mysql_free_result($result); # Insert the new picture try_mysql_query("INSERT INTO pictures (category_id, title, filename, caption, date_added) VALUES ('" . $category['category_id'] . "', '{$title}', '{$image_filename}', '{$caption}', NOW())", $db_write); $picture_id = mysql_insert_id($db_write); # Update the las modified category (used for the default selection in the category combo) try_mysql_query("UPDATE users SET last_category='" . $category['category_id'] . "' WHERE user_id='" . $me['user_id'] . "'", $db_write); # Update the last modified time for the private user/category try_mysql_query("UPDATE users SET last_updated=NOW() WHERE user_id='" . $me['user_id'] . "'", $db_write); try_mysql_query("UPDATE categories SET last_updated=NOW() WHERE category_id='" . $category['category_id'] . "'", $db_write); # Set the last modified time for the public user/category if ($category['private'] != '1') { try_mysql_query("UPDATE users SET last_updated_public=NOW() WHERE user_id='" . $me['user_id'] . "'", $db_write); try_mysql_query("UPDATE categories SET last_updated_public=NOW() WHERE category_id='" . $category['category_id'] . "'", $db_write); } $user_ids = get_emails_notify_pictures($db_read); smtp_send($user_ids, "OSPAP - New Picture", "New picture notification", "A new picture has been posted in " . $me['username'] . "'s category, " . $category['name'] . "! Here is a link to it:\n\n" . get_full_path_to("show_picture.php?picture_id=" . $picture_id) . "\n\nTitle: {$title}\n\nCaption:\n{$caption}\n\nNote: this is an automatic email, please don't reply."); show_message_redirect("Picture successfully uploaded", "show_category.php?category_id=" . $category['category_id']);
$pictures_result = try_mysql_query("SELECT * FROM pictures WHERE category_id='{$category_id}'", $db_read); while ($row = mysql_fetch_assoc($pictures_result)) { try_mysql_query("DELETE FROM comments WHERE picture_id='" . $pictures_result['picture_id'] . "'", $db_write); } mysql_free_result($pictures_result); try_mysql_query("DELETE FROM pictures WHERE category_id='{$category_id}'", $db_write); try_mysql_query("DELETE FROM categories WHERE category_id='{$category_id}'", $db_write); show_message_redirect("Category deleted", "show_user.php?user_id=" . $assoc['user_id']); } else { # The user is deleting a picture $picture_id = $_GET['picture_id']; if (is_numeric($picture_id) == false) { redirect_back(); } // Get the category $result = try_mysql_query("SELECT user_id,pictures.category_id FROM categories,pictures WHERE categories.category_id = pictures.category_id AND picture_id = {$picture_id}", $db_read); $assoc = mysql_fetch_assoc($result); mysql_free_result($result); if ($me['admin'] != 1 && $assoc['user_id'] != $me['user_id']) { show_error_redirect_back("Access denied"); } try_mysql_query("DELETE FROM pictures WHERE picture_id = '{$picture_id}'", $db_write); try_mysql_query("DELETE FROM comments WHERE picture_id = '{$picture_id}'", $db_write); show_message_redirect("Picture deleted", "show_category.php?category_id=" . $assoc['category_id']); } ?>
# Post a comment on an image. # header('Pragma: no-cache'); require 'shared.php'; # Make a connection to the database $db_read = get_db_read(); $db_write = get_db_write(); if (!$me) { show_error_redirect_back("Please log in first"); } if (isset($_POST['picture_id']) == false) { show_error_redirect_back("Couldn't find picture id"); } if (isset($_POST['comment']) == false) { show_error_redirect_back("Couldn't find comment"); } $comment = mysql_escape_string(nl2br(htmlentities(trim($_POST['comment'])))); $picture_id = $_POST['picture_id']; if (validate_comment($comment) == false) { show_error_redirect_back("Invalid comment. Comments have to be 0-{$max_length_comment} characters."); } if (is_numeric($picture_id) == false) { show_error_redirect_back("Invalid category."); } try_mysql_query("INSERT INTO comments (user_id, picture_id, text, date_added) VALUES ('" . $me['user_id'] . "', '{$picture_id}', '{$comment}', NOW())", $db_write); $user = get_user_from_picture_id($picture_id, $db_read); if ($user['notify_comments'] == '1') { smtp_send(array($user['email']), "OSPAP - New Comment", "New Comment Notification", "A new comment has been posted for one of your pictures! It was posted by " . $me['username'] . " and can be viewed here:\n" . get_full_path_to("show_picture.php?picture_id={$picture_id}") . "\n\nNote: this is an automatic email, please don't reply."); } show_message_redirect("Comment added", "show_picture.php?picture_id={$picture_id}#comments");