[geeklog-cvs] geeklog-1.3/public_html submit.php,1.78,1.79
dhaun at iowaoutdoors.org
dhaun at iowaoutdoors.org
Tue Dec 14 17:33:24 EST 2004
- Previous message (by thread): [geeklog-cvs] MVCnPHP PersistenceManager.class.php,NONE,1.1.2.1 CHANGELOG,1.3,1.3.2.1 Constants.php,1.2,1.2.2.1 README.txt,1.4,1.4.2.1
- Next message (by thread): [geeklog-cvs] geeklog-1.3/public_html submit.php,1.65.2.1,1.65.2.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Update of /var/cvs/geeklog-1.3/public_html
In directory www:/tmp/cvs-serv999
Modified Files:
submit.php
Log Message:
More parameter filtering and checks for proper access
Index: submit.php
===================================================================
RCS file: /var/cvs/geeklog-1.3/public_html/submit.php,v
retrieving revision 1.78
retrieving revision 1.79
diff -C2 -d -r1.78 -r1.79
*** submit.php 11 Dec 2004 14:53:36 -0000 1.78
--- submit.php 14 Dec 2004 22:33:22 -0000 1.79
***************
*** 86,89 ****
--- 86,90 ----
$loginreq->set_var('login_message', $LANG_LOGIN[2]);
$loginreq->set_var('site_url', $_CONF['site_url']);
+ $loginreq->set_var('layout_url', $_CONF['layout_url']);
$loginreq->set_var('lang_login', $LANG_LOGIN[3]);
$loginreq->set_var('lang_newuser', $LANG_LOGIN[4]);
***************
*** 94,114 ****
} else {
$retval .= COM_startBlock($LANG12[19])
! . $LANG12[9]
! . COM_endBlock();
switch ($type) {
! case 'link':
! $retval .= submitlink();
! break;
! case 'event':
! $retval .= submitevent($mode,$month,$day,$year,$hour);
! break;
! default:
! if ((strlen($type) > 0) && ($type <> 'story')) {
! $retval .= PLG_showSubmitForm($type);
break;
- }
- $retval .= submitstory($topic);
- break;
}
}
--- 95,117 ----
} else {
$retval .= COM_startBlock($LANG12[19])
! . $LANG12[9]
! . COM_endBlock();
switch ($type) {
! case 'link':
! $retval .= submitlink();
! break;
!
! case 'event':
! $retval .= submitevent($mode,$month,$day,$year,$hour);
! break;
!
! default:
! if ((strlen($type) > 0) && ($type <> 'story')) {
! $retval .= PLG_showSubmitForm($type);
! break;
! }
! $retval .= submitstory($topic);
break;
}
}
***************
*** 116,120 ****
return $retval;
-
}
--- 119,122 ----
***************
*** 129,138 ****
$retval = '';
! $retval .= COM_startBlock($LANG12[4],'submitevent.html');
! $eventform = new Template($_CONF['path_layout'] . 'submit');
! $eventform->set_file('eventform', 'submitevent.thtml');
! $eventform->set_var('explanation', $LANG12[37]);
! $eventform->set_var('site_url', $_CONF['site_url']);
! $eventform->set_var('lang_title', $LANG12[10]);
$types = explode (',', $_CONF['event_types']);
$catdd = '';
--- 131,141 ----
$retval = '';
! $retval .= COM_startBlock ($LANG12[4], 'submitevent.html');
! $eventform = new Template ($_CONF['path_layout'] . 'submit');
! $eventform->set_file ('eventform', 'submitevent.thtml');
! $eventform->set_var ('explanation', $LANG12[37]);
! $eventform->set_var ('site_url', $_CONF['site_url']);
! $eventform->set_var ('layout_url', $_CONF['layout_url']);
! $eventform->set_var ('lang_title', $LANG12[10]);
$types = explode (',', $_CONF['event_types']);
$catdd = '';
***************
*** 144,151 ****
$eventform->set_var('lang_editeventtypes', $LANG12[50]);
$eventform->set_var('type_options', $catdd);
! $eventform->set_var('lang_addeventto',$LANG12[38]);
! $eventform->set_var('lang_mastercalendar',$LANG12[39]);
if ($_CONF['personalcalendars'] == 1 AND $_USER['uid'] > 1) {
! $eventform->set_var('lang_personalcalendar',$LANG12[40]);
if ($mode == 'personal') {
$eventform->set_var('personal_option', '<option value="personal" selected="selected">' . $LANG12[40] . '</option>');
--- 147,155 ----
$eventform->set_var('lang_editeventtypes', $LANG12[50]);
$eventform->set_var('type_options', $catdd);
! $eventform->set_var('lang_addeventto', $LANG12[38]);
! $eventform->set_var('lang_mastercalendar', $LANG12[39]);
!
if ($_CONF['personalcalendars'] == 1 AND $_USER['uid'] > 1) {
! $eventform->set_var('lang_personalcalendar', $LANG12[40]);
if ($mode == 'personal') {
$eventform->set_var('personal_option', '<option value="personal" selected="selected">' . $LANG12[40] . '</option>');
***************
*** 158,180 ****
$eventform->set_var('personal_option', '');
}
$eventform->set_var('lang_link', $LANG12[11]);
$eventform->set_var('max_url_length', 255);
$eventform->set_var('lang_startdate', $LANG12[12]);
$eventform->set_var('lang_starttime', $LANG12[42]);
! if (empty($month)) {
! $month = date('m',time());
}
! if (empty($day)) {
! $day = date('d',time());
}
! if (empty($year)) {
! $year = date('Y',time());
}
$eventform->set_var ('month_options', COM_getMonthFormOptions ($month));
$eventform->set_var ('day_options', COM_getDayFormOptions ($day));
- $cur_year = date('Y',time());
- if (empty($year)) {
- $year = $cur_year;
- }
$eventform->set_var ('year_options', COM_getYearFormOptions ($year));
--- 162,181 ----
$eventform->set_var('personal_option', '');
}
+
$eventform->set_var('lang_link', $LANG12[11]);
$eventform->set_var('max_url_length', 255);
$eventform->set_var('lang_startdate', $LANG12[12]);
$eventform->set_var('lang_starttime', $LANG12[42]);
! if (empty ($month)) {
! $month = date ('m', time ());
}
! if (empty ($day)) {
! $day = date ('d', time ());
}
! if (empty ($year)) {
! $year = date ('Y', time ());
}
$eventform->set_var ('month_options', COM_getMonthFormOptions ($month));
$eventform->set_var ('day_options', COM_getDayFormOptions ($day));
$eventform->set_var ('year_options', COM_getYearFormOptions ($year));
***************
*** 237,240 ****
--- 238,242 ----
$linkform->set_file('linkform', 'submitlink.thtml');
$linkform->set_var('site_url', $_CONF['site_url']);
+ $linkform->set_var('layout_url', $_CONF['layout_url']);
$linkform->set_var('lang_title', $LANG12[10]);
$linkform->set_var('lang_link', $LANG12[11]);
***************
*** 269,281 ****
} else {
$A['sid'] = COM_makeSid();
- if (isset ($_USER['uid']) && ($_USER['uid'] > 1)) {
- $A['uid'] = $_USER['uid'];
- } else {
- $A['uid'] = 1;
- }
$A['unixdate'] = time();
}
! if (empty($A['postmode'])) {
$A['postmode'] = $_CONF['postmode'];
}
--- 271,283 ----
} else {
$A['sid'] = COM_makeSid();
$A['unixdate'] = time();
}
+ if (isset ($_USER['uid']) && ($_USER['uid'] > 1)) {
+ $A['uid'] = $_USER['uid'];
+ } else {
+ $A['uid'] = 1;
+ }
! if (empty ($A['postmode'])) {
$A['postmode'] = $_CONF['postmode'];
}
***************
*** 328,333 ****
$storyform->set_file('storyform','submitstory.thtml');
}
! $storyform->set_var('site_url', $_CONF['site_url']);
! $storyform->set_var('lang_username', $LANG12[27]);
if (!empty($_USER['username'])) {
--- 330,336 ----
$storyform->set_file('storyform','submitstory.thtml');
}
! $storyform->set_var ('site_url', $_CONF['site_url']);
! $storyform->set_var ('layout_url', $_CONF['layout_url']);
! $storyform->set_var ('lang_username', $LANG12[27]);
if (!empty($_USER['username'])) {
***************
*** 338,341 ****
--- 341,345 ----
$storyform->set_var('status_url', $_CONF['site_url'] . '/users.php');
$storyform->set_var('lang_loginout', $LANG12[2]);
+ $storyform->set_var('separator', ' | ');
$storyform->set_var('seperator', ' | ');
$storyform->set_var('create_account','<a href="' . $_CONF['site_url'] . '/users.php?mode=new">' . $LANG12[53] . '</a>');
***************
*** 485,490 ****
$A['introtext'] = COM_stripslashes ($A['introtext']);
! $A['title'] = addslashes (strip_tags (COM_checkWords ($A['title'])));
! $A['title'] = str_replace ('$', '$', $A['title']);
if ($A['postmode'] == 'html') {
--- 489,494 ----
$A['introtext'] = COM_stripslashes ($A['introtext']);
! $A['title'] = strip_tags (COM_checkWords ($A['title']));
! $A['title'] = addslashes (str_replace ('$', '$', $A['title']));
if ($A['postmode'] == 'html') {
***************
*** 502,505 ****
--- 506,518 ----
COM_updateSpeedlimit ('submit');
+ $A['tid'] = addslashes (COM_sanitizeID ($A['tid']));
+
+ $result = DB_query ("SELECT group_id,perm_owner,perm_group,perm_members,perm_anon FROM {$_TABLES['topics']} WHERE tid = '{$A['tid']}'" . COM_getTopicSQL ('AND'));
+ if (DB_numRows ($result) == 0) {
+ // user doesn't have access to this topic - bail
+ return COM_refresh ($_CONF['site_url'] . '/index.php');
+ }
+ $T = DB_fetchArray ($result);
+
if (($_CONF['storysubmission'] == 1) && !SEC_hasRights ('story.submit')) {
$introtext = addslashes ($introtext);
***************
*** 515,520 ****
$retval .= COM_refresh ($_CONF['site_url'] . '/index.php?msg=2');
} else { // post this story directly
- $result = DB_query ("SELECT group_id,perm_owner,perm_group,perm_members,perm_anon FROM {$_TABLES['topics']} WHERE tid='{$A['tid']}'");
- $T = DB_fetchArray ($result);
$related = addslashes (implode ("\n", STORY_extractLinks ($introtext)));
--- 528,531 ----
***************
*** 550,555 ****
$retval = '';
! $A['category'] = strip_tags ($A['category']);
! $A['categorydd'] = strip_tags ($A['categorydd']);
if ($A['categorydd'] != $LANG12[18] && !empty ($A['categorydd'])) {
$A['category'] = $A['categorydd'];
--- 561,566 ----
$retval = '';
! $A['category'] = strip_tags (COM_stripslashes ($A['category']));
! $A['categorydd'] = strip_tags (COM_stripslashes ($A['categorydd']));
if ($A['categorydd'] != $LANG12[18] && !empty ($A['categorydd'])) {
$A['category'] = $A['categorydd'];
***************
*** 574,579 ****
if ($pos === false) {
$A['url'] = 'http://' . $A['url'];
! }
! else {
$prot = substr ($A['url'], 0, $pos + 1);
if (($prot != 'http:') && ($prot != 'https:')) {
--- 585,589 ----
if ($pos === false) {
$A['url'] = 'http://' . $A['url'];
! } else {
$prot = substr ($A['url'], 0, $pos + 1);
if (($prot != 'http:') && ($prot != 'https:')) {
***************
*** 864,875 ****
$mode = COM_applyFilter ($_REQUEST['mode']);
! if (($mode == $LANG12[8]) && !empty($LANG12[8])) { // submit
! $display .= savesubmission ($type, $_POST);
} else if (($mode == $LANG12[52]) && !empty ($LANG12[52])) { // delete
// this is only meant for deleting personal events
! if (isset ($_USER['uid']) && ($_USER['uid'] > 1) &&
! ($_REQUEST['type'] == 'event')) {
$eid = COM_applyFilter ($_REQUEST['eid']);
if (!empty ($eid)) {
DB_query ("DELETE FROM {$_TABLES['personal_events']} WHERE uid={$_USER['uid']} AND eid='$eid'");
echo COM_refresh ($_CONF['site_url']
--- 874,891 ----
$mode = COM_applyFilter ($_REQUEST['mode']);
! if (($mode == $LANG12[8]) && !empty ($LANG12[8])) { // submit
! if (empty ($_USER['username']) &&
! (($_CONF['loginrequired'] == 1) || ($_CONF['submitloginrequired'] == 1))) {
! $display = COM_refresh ($_CONF['site_url'] . '/index.php');
! } else {
! $display .= savesubmission ($type, $_POST);
! }
} else if (($mode == $LANG12[52]) && !empty ($LANG12[52])) { // delete
// this is only meant for deleting personal events
! if (($_CONF['personalcalendars'] == 1) && ($_REQUEST['type'] == 'event') &&
! isset ($_USER['uid']) && ($_USER['uid'] > 1)) {
$eid = COM_applyFilter ($_REQUEST['eid']);
if (!empty ($eid)) {
+ $eid = addslashes ($eid);
DB_query ("DELETE FROM {$_TABLES['personal_events']} WHERE uid={$_USER['uid']} AND eid='$eid'");
echo COM_refresh ($_CONF['site_url']
***************
*** 878,884 ****
}
}
-
$display = COM_refresh ($_CONF['site_url'] . '/index.php');
! } else if (($type == 'event') && isset ($_POST['calendar_type']) &&
($_POST['calendar_type'] == 'personal')) { // quick add form
$display = saveevent ($_POST);
--- 894,900 ----
}
}
$display = COM_refresh ($_CONF['site_url'] . '/index.php');
! } else if (($_CONF['personalcalendars'] == 1) && ($type == 'event') &&
! isset ($_POST['calendar_type']) &&
($_POST['calendar_type'] == 'personal')) { // quick add form
$display = saveevent ($_POST);
***************
*** 892,895 ****
--- 908,912 ----
}
break;
+
case 'event':
if (SEC_hasRights('event.edit') && ($mode != 'personal')) {
***************
*** 928,931 ****
--- 945,949 ----
}
break;
+
default:
if ((strlen ($type) > 0) && ($type <> 'story')) {
***************
*** 958,964 ****
--- 976,984 ----
$pagetitle = $LANG12[4];
break;
+
case 'link':
$pagetitle = $LANG12[5];
break;
+
default:
$pagetitle = $LANG12[6];
- Previous message (by thread): [geeklog-cvs] MVCnPHP PersistenceManager.class.php,NONE,1.1.2.1 CHANGELOG,1.3,1.3.2.1 Constants.php,1.2,1.2.2.1 README.txt,1.4,1.4.2.1
- Next message (by thread): [geeklog-cvs] geeklog-1.3/public_html submit.php,1.65.2.1,1.65.2.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the geeklog-cvs
mailing list