$sessionid = $_COOKIE["PHPSESSID"]; } else { $sessionid = "0"; } $sqlcheck = "SELECT priv FROM authorize WHERE session_id ='{$sessionid}' AND priv = '{$priv}'"; $resultcheck = $conn->query($sqlcheck); $rowcheck = $resultcheck->fetch_assoc(); if ($resultcheck->num_rows > 0) { // priv must be greater than 2 if ($rowcheck['priv'] > 2) { if ($_POST['action'] == "create") { $id = explode("#", $_POST['id'])[0]; // if anchor stands behind the id $name = $_POST['name']; $text = $_POST['text']; $name = eliminateHtml($name); $text = parseContent($text); $sql = "INSERT into comment (entry_id, reporter, text) values ({$id}, '{$name}' , '{$text}')"; $result = $conn->query($sql); $sql1 = "SELECT comment_id, created_at, reporter, text from comment where entry_id = '{$id}' ORDER BY comment_id desc LIMIT 1"; $result1 = $conn->query($sql1); $response = ""; while ($row = $result1->fetch_assoc()) { $response = $response . $row['comment_id'] . "#?#" . $row['reporter'] . "#?#" . $row['text'] . "#?#" . $row['created_at']; } echo $response; } } else { echo "<br><link href='https://fonts.googleapis.com/css?family=Montserrat' rel='stylesheet' type='text/css'>\n <link rel='stylesheet' type='text/css' href='/css/theme.css'><div style='text-align: center' class='feedback'>Error: Comment not created - Privileges are insufficient</div>"; } // priv must be greater than 7
$usr = $row["reporter"]; $subj = $row["subject"]; $keyw = $row["keyword"]; $cont = $row["content"]; $foo = "Change"; } if (isset($_POST['submit'])) { $reporter = $_POST['username']; $subject = $_POST['subject']; $content = $_POST['content']; $keyword = $_POST['keyword']; $session_id = session_id(); // replace < and > in reporter and subject $reporter = eliminateHtml($reporter); $subject = eliminateHtml($subject); $keyword = eliminateHtml($keyword); // parse content part $content = parseContent($content); // check if privileges are correct if (isset($_COOKIE['login'])) { $priv = $_COOKIE['login']; } else { $priv = "0"; } if (isset($_COOKIE["PHPSESSID"])) { $sessionid = $_COOKIE["PHPSESSID"]; } else { $sessionid = "0"; } $sqlcheck = "SELECT priv FROM authorize WHERE session_id ='{$sessionid}' AND priv = '{$priv}'"; $resultcheck = $conn->query($sqlcheck);
include 'parseHtml.php'; include 'db.php'; // Create connection $conn = new mysqli($servername, $username, $password, $dbname); // Check connection if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } if (isset($_POST['submit'])) { $reporter = $_POST['username']; $subject = $_POST['subject']; $content = $_POST['content']; $session_id = session_id(); // replace < and > in reporter and subject $reporter = eliminateHtml($reporter); $subject = eliminateHtml($subject); // parse content part $content = parseContent($content); $sql = "INSERT INTO entry (session_id, reporter, subject, content) VALUES ('{$session_id}', '{$reporter}', '{$subject}', '{$content}')"; if ($conn->query($sql) === TRUE) { $error = "New entry created successfully"; } else { $error = "Error: " . $sql . "<br>" . $conn->error; } } $conn->close(); ?> <!DOCTYPE html> <html>