/**
* Handles a comment edit submission
*
* @copyright Jared Wenerd 2008
* @author Jared Wenerd, wenerd87 AT gmail DOT com
* @param string $mode whether to store edited comment in the queue
* @return string HTML (possibly a refresh)
*/
function CMT_handleEditSubmit($mode = null)
{
global $_CONF, $_TABLES, $_USER, $LANG03;
$display = '';
$type = COM_applyFilter($_POST['type']);
$sid = COM_applyFilter($_POST['sid']);
$cid = COM_applyFilter($_POST['cid']);
$postmode = COM_applyFilter($_POST['postmode']);
$commentuid = DB_getItem($_TABLES['comments'], 'uid', "cid = '{$cid}'");
if (empty($_USER['uid'])) {
$uid = 1;
} else {
$uid = $_USER['uid'];
}
// check for bad input
if (empty($sid) || empty($_POST['title']) || empty($_POST['comment']) || !is_numeric($cid) || $cid < 1) {
COM_errorLog("CMT_handleEditSubmit(): {{$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried to edit a comment with one or more missing values.");
return COM_refresh($_CONF['site_url'] . '/index.php');
} elseif ($uid != $commentuid && !SEC_hasRights('comment.moderate')) {
//check permissions
COM_errorLog("CMT_handleEditSubmit(): {{$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit a comment without proper permission.');
return COM_refresh($_CONF['site_url'] . '/index.php');
}
$comment = CMT_prepareText($_POST['comment'], $postmode, $type);
$title = COM_checkWords(strip_tags(COM_stripslashes($_POST['title'])));
if ($mode == $LANG03[35]) {
$table = $_TABLES['commentsubmissions'];
} else {
$table = $_TABLES['comments'];
}
if (!empty($title) && !empty($comment)) {
COM_updateSpeedlimit('comment');
$title = addslashes($title);
$comment = addslashes($comment);
// save the comment into the table
DB_query("UPDATE {$table} SET comment = '{$comment}', title = '{$title}'" . " WHERE cid={$cid} AND sid='{$sid}'");
if (DB_error()) {
//saving to non-existent comment or comment in wrong article
COM_errorLog("CMT_handleEditSubmit(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit to a non-existent comment or the cid/sid did not match');
return COM_refresh($_CONF['site_url'] . '/index.php');
}
//save edit information for published comment
if ($mode != $LANG03[35]) {
DB_save($_TABLES['commentedits'], 'cid,uid,time', "{$cid},{$uid},NOW()");
} else {
return COM_refresh(COM_buildUrl($_CONF['site_admin_url'] . "/moderation.php"));
}
} else {
COM_errorLog("CMT_handleEditSubmit(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to submit a comment with invalid $title and/or $comment.');
return COM_refresh($_CONF['site_url'] . '/index.php');
}
return COM_refresh(COM_buildUrl($_CONF['site_url'] . "/article.php?story={$sid}"));
}
/**
* Handles a comment edit submission
*
* @copyright Jared Wenerd 2008
* @author Jared Wenerd <wenerd87 AT gmail DOT com>
* @return string HTML (possibly a refresh)
*/
function handleEditSubmit()
{
global $_CONF, $_TABLES, $_USER, $LANG03, $_PLUGINS;
$type = COM_applyFilter($_POST['type']);
$sid = COM_sanitizeID(COM_applyFilter($_POST['sid']));
$cid = COM_applyFilter($_POST['cid'], true);
$postmode = COM_applyFilter($_POST['postmode']);
if ($type != 'article') {
if (!in_array($type, $_PLUGINS)) {
$type = '';
}
}
$commentuid = DB_getItem($_TABLES['comments'], 'uid', "cid = " . (int) $cid);
if (COM_isAnonUser()) {
$uid = 1;
} else {
$uid = $_USER['uid'];
}
$comment = $_POST['comment_text'];
//check for bad input
if (empty($sid) || empty($_POST['title']) || empty($comment) || !is_numeric($cid) || $cid < 1) {
COM_errorLog("handleEditSubmit(): {{$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit a comment with one or more missing values.');
return COM_refresh($_CONF['site_url'] . '/index.php');
} elseif ($uid != $commentuid && !SEC_inGroup('Root')) {
//check permissions
COM_errorLog("handleEditSubmit(): {{$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit a comment without proper permission.');
return COM_refresh($_CONF['site_url'] . '/index.php');
}
$comment = CMT_prepareText($comment, $postmode, true, $cid);
$title = COM_checkWords(strip_tags($_POST['title']));
if (!empty($title) && !empty($comment)) {
COM_updateSpeedlimit('comment');
$title = DB_escapeString($title);
$comment = DB_escapeString($comment);
// save the comment into the comment table
DB_query("UPDATE {$_TABLES['comments']} SET comment = '{$comment}', title = '{$title}'" . " WHERE cid=" . (int) $cid . " AND sid='" . DB_escapeString($sid) . "'");
if (DB_error()) {
//saving to non-existent comment or comment in wrong article
COM_errorLog("handleEditSubmit(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit to a non-existent comment or the cid/sid did not match');
return COM_refresh($_CONF['site_url'] . '/index.php');
}
$safecid = (int) $cid;
$safeuid = (int) $uid;
DB_save($_TABLES['commentedits'], 'cid,uid,time', "{$safecid},{$safeuid},NOW()");
} else {
COM_errorLog("handleEditSubmit(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to submit a comment with invalid $title and/or $comment.');
return COM_refresh($_CONF['site_url'] . '/index.php');
}
PLG_commentEditSave($type, $cid, $sid);
$urlArray = PLG_getCommentUrlId($type);
if (is_array($urlArray)) {
$url = $urlArray[0] . '?' . $urlArray[1] . '=' . $sid;
echo COM_refresh($url);
exit;
}
return COM_refresh($_CONF['site_url'] . '/index.php');
}
/**
* Handles a comment edit submission
*
* @copyright Jared Wenerd 2008
* @author Jared Wenerd, wenerd87 AT gmail DOT com
* @param string $mode whether to store edited comment in the queue
* @return string HTML (possibly a refresh)
*/
function CMT_handleEditSubmit($mode = null)
{
global $_CONF, $_TABLES, $_USER, $LANG03;
$display = '';
$type = '';
if (isset($_POST[CMT_TYPE])) {
$type = COM_applyFilter($_POST[CMT_TYPE]);
}
$sid = '';
if (isset($_POST[CMT_SID])) {
$sid = COM_applyFilter($_POST[CMT_SID]);
}
$cid = 0;
if (isset($_POST[CMT_CID])) {
$cid = COM_applyFilter($_POST[CMT_CID], true);
}
$postmode = '';
if (isset($_POST['postmode'])) {
$postmode = COM_applyFilter($_POST['postmode']);
}
// check for bad input
if (empty($sid) || empty($_POST['title']) || empty($_POST['comment']) || $cid <= 0 || empty($type) || empty($postmode)) {
COM_errorLog("CMT_handleEditSubmit(): {{$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit a comment with one or more missing values.');
return COM_refresh($_CONF['site_url'] . '/index.php');
}
$commentuid = DB_getItem($_TABLES['comments'], 'uid', "cid = '{$cid}'");
$uid = 1;
if (!empty($_USER['uid'])) {
$uid = $_USER['uid'];
}
//check permissions
if ($uid != $commentuid && !SEC_hasRights('comment.moderate')) {
COM_errorLog("CMT_handleEditSubmit(): {{$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit a comment without proper permission.');
return COM_refresh($_CONF['site_url'] . '/index.php');
}
$comment = CMT_prepareText($_POST['comment'], $postmode, $type);
$title = COM_checkWords(strip_tags(COM_stripslashes($_POST['title'])));
if ($mode == $LANG03[35]) {
$table = $_TABLES['commentsubmissions'];
} else {
$table = $_TABLES['comments'];
}
if (!empty($title) && !empty($comment)) {
COM_updateSpeedlimit('comment');
$title = DB_escapeString($title);
$comment = DB_escapeString($comment);
// save the comment into the table
DB_query("UPDATE {$table} SET comment = '{$comment}', title = '{$title}', type = '{$type}'" . " WHERE cid={$cid} AND sid='{$sid}'");
if (DB_error()) {
//saving to non-existent comment or comment in wrong article
COM_errorLog("CMT_handleEditSubmit(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit to a non-existent comment or the cid/sid did not match');
return COM_refresh($_CONF['site_url'] . '/index.php');
}
//save edit information for published comment
// Update any feeds
if ($mode != $LANG03[35]) {
DB_save($_TABLES['commentedits'], 'cid,uid,time', "{$cid},{$uid},NOW()");
COM_rdfUpToDateCheck('comment');
// Delete What's New block cache so it can get updated again
if ($_CONF['whatsnew_cache_time'] > 0 and !$_CONF['hidenewcomments']) {
$cacheInstance = 'whatsnew__';
// remove all whatsnew instances
CACHE_remove_instance($cacheInstance);
}
} else {
return COM_refresh(COM_buildUrl($_CONF['site_admin_url'] . "/moderation.php"));
}
} else {
COM_errorLog("CMT_handleEditSubmit(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to submit a comment with invalid $title and/or $comment.');
return COM_refresh($_CONF['site_url'] . '/index.php');
}
list($plgurl, $plgid) = CMT_getCommentUrlId($type);
$formurl = "{$plgurl}?{$plgid}={$sid}";
return COM_refresh($formurl);
}
/**
* Save a comment
*
* @author Vincent Furia, vinny01 AT users DOT sourceforge DOT net
* @param string $title Title of comment
* @param string $comment Text of comment
* @param string $sid ID of object receiving comment
* @param int $pid ID of parent comment
* @param string $type Type of comment this is (article, polls, etc)
* @param string $postmode Indicates if text is HTML or plain text
* @return int 0 for success, > 0 indicates error
*
*/
function CMT_saveComment($title, $comment, $sid, $pid, $type, $postmode)
{
global $_CONF, $_TABLES, $_USER, $LANG03;
$ret = 0;
// Get a valid uid
if (empty($_USER['uid'])) {
$uid = 1;
} else {
$uid = $_USER['uid'];
}
// Sanity check
if (empty($sid) || empty($title) || empty($comment) || empty($type)) {
COM_errorLog("CMT_saveComment: {$uid} from {$_SERVER['REMOTE_ADDR']} tried " . 'to submit a comment with one or more missing values.');
if (SESS_isSet('glfusion.commentpresave.error')) {
$msg = SESS_getVar('glfusion.commentpresave.error') . '<br/>' . $LANG03[12];
} else {
$msg = $LANG03[12];
}
SESS_setVar('glfusion.commentpresave.error', $msg);
return $ret = 1;
}
// Check that anonymous comments are allowed
if ($uid == 1 && ($_CONF['loginrequired'] == 1 || $_CONF['commentsloginrequired'] == 1)) {
COM_errorLog("CMT_saveComment: IP address {$_SERVER['REMOTE_ADDR']} " . 'attempted to save a comment with anonymous comments disabled for site.');
return $ret = 2;
}
// Check for people breaking the speed limit
COM_clearSpeedlimit($_CONF['commentspeedlimit'], 'comment');
$last = COM_checkSpeedlimit('comment');
if ($last > 0) {
COM_errorLog("CMT_saveComment: {$uid} from {$_SERVER['REMOTE_ADDR']} tried " . 'to submit a comment before the speed limit expired');
return $ret = 3;
}
// Let plugins have a chance to check for spam
$spamcheck = '<h1>' . $title . '</h1><p>' . $comment . '</p>';
$result = PLG_checkforSpam($spamcheck, $_CONF['spamx']);
// Now check the result and display message if spam action was taken
if ($result > 0) {
// update speed limit nonetheless
COM_updateSpeedlimit('comment');
// then tell them to get lost ...
COM_displayMessageAndAbort($result, 'spamx', 403, 'Forbidden');
}
// Let plugins have a chance to decide what to do before saving the comment, return errors.
if ($someError = PLG_commentPreSave($uid, $title, $comment, $sid, $pid, $type, $postmode)) {
return $someError;
}
$title = COM_checkWords(strip_tags($title));
$comment = CMT_prepareText($comment, $postmode);
// check for non-int pid's
// this should just create a top level comment that is a reply to the original item
if (!is_numeric($pid) || $pid < 0) {
$pid = 0;
}
if (!empty($title) && !empty($comment)) {
COM_updateSpeedlimit('comment');
$title = DB_escapeString($title);
$comment = DB_escapeString($comment);
$type = DB_escapeString($type);
// Insert the comment into the comment table
DB_lockTable($_TABLES['comments']);
if ($pid > 0) {
$result = DB_query("SELECT rht, indent FROM {$_TABLES['comments']} WHERE cid = " . (int) $pid . " AND sid = '" . DB_escapeString($sid) . "'");
list($rht, $indent) = DB_fetchArray($result);
if (!DB_error()) {
DB_query("UPDATE {$_TABLES['comments']} SET lft = lft + 2 " . "WHERE sid = '" . DB_escapeString($sid) . "' AND type = '{$type}' AND lft >= {$rht}");
DB_query("UPDATE {$_TABLES['comments']} SET rht = rht + 2 " . "WHERE sid = '" . DB_escapeString($sid) . "' AND type = '{$type}' AND rht >= {$rht}");
DB_save($_TABLES['comments'], 'sid,uid,comment,date,title,pid,lft,rht,indent,type,ipaddress', "'" . DB_escapeString($sid) . "',{$uid},'{$comment}',now(),'{$title}'," . (int) $pid . ",{$rht},{$rht}+1,{$indent}+1,'{$type}','" . DB_escapeString($_SERVER['REMOTE_ADDR']) . "'");
} else {
//replying to non-existent comment or comment in wrong article
COM_errorLog("CMT_saveComment: {$uid} from {$_SERVER['REMOTE_ADDR']} tried " . 'to reply to a non-existent comment or the pid/sid did not match');
$ret = 4;
// Cannot return here, tables locked!
}
} else {
$rht = DB_getItem($_TABLES['comments'], 'MAX(rht)', "sid = '" . DB_escapeString($sid) . "'");
if (DB_error()) {
$rht = 0;
}
DB_save($_TABLES['comments'], 'sid,uid,comment,date,title,pid,lft,rht,indent,type,ipaddress', "'" . DB_escapeString($sid) . "'," . (int) $uid . ",'{$comment}',now(),'{$title}'," . (int) $pid . ",{$rht}+1,{$rht}+2,0,'{$type}','" . DB_escapeString($_SERVER['REMOTE_ADDR']) . "'");
}
$cid = DB_insertId();
//set Anonymous user name if present
if (isset($_POST['username'])) {
$name = strip_tags(USER_sanitizeName($_POST['username']));
DB_change($_TABLES['comments'], 'name', DB_escapeString($name), 'cid', (int) $cid);
}
DB_unlockTable($_TABLES['comments']);
CACHE_remove_instance('whatsnew');
if ($type == 'article') {
CACHE_remove_instance('story_' . $sid);
}
// check to see if user has subscribed....
if (!COM_isAnonUser()) {
if (isset($_POST['subscribe']) && $_POST['subscribe'] == 1) {
$itemInfo = PLG_getItemInfo($type, $sid, 'url,title');
if (isset($itemInfo['title'])) {
$id_desc = $itemInfo['title'];
} else {
$id_desc = 'not defined';
}
$rc = PLG_subscribe('comment', $type, $sid, $uid, $type, $id_desc);
} else {
PLG_unsubscribe('comment', $type, $sid);
}
}
// Send notification of comment if no errors and notications enabled for comments
if ($ret == 0 && isset($_CONF['notification']) && in_array('comment', $_CONF['notification'])) {
CMT_sendNotification($title, $comment, $uid, $_SERVER['REMOTE_ADDR'], $type, $cid);
}
if ($ret == 0) {
PLG_sendSubscriptionNotification('comment', $type, $sid, $cid, $uid);
}
} else {
COM_errorLog("CMT_saveComment: {$uid} from {$_SERVER['REMOTE_ADDR']} tried " . 'to submit a comment with invalid $title and/or $comment.');
return $ret = 5;
}
return $ret;
}