[geeklog-cvs] geeklog-1.3/public_html submit.php,1.60,1.61
dhaun at geeklog.net
dhaun at geeklog.net
Mon Feb 2 14:14:09 EST 2004
Update of /usr/cvs/geeklog/geeklog-1.3/public_html
In directory geeklog_prod:/tmp/cvs-serv22220
Modified Files:
submit.php
Log Message:
Added parameter checking
Index: submit.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/submit.php,v
retrieving revision 1.60
retrieving revision 1.61
diff -C2 -d -r1.60 -r1.61
*** submit.php 24 Jan 2004 21:52:01 -0000 1.60
--- submit.php 2 Feb 2004 19:14:07 -0000 1.61
***************
*** 54,59 ****
function submissionform($type='story', $mode = '', $month='', $day='', $year='', $hour='', $topic = '')
{
! global $_TABLES, $_CONF, $LANG12, $REMOTE_ADDR, $_USER, $HTTP_POST_VARS,
! $LANG_LOGIN;
$retval = '';
--- 54,58 ----
function submissionform($type='story', $mode = '', $month='', $day='', $year='', $hour='', $topic = '')
{
! global $_CONF, $_TABLES, $_USER, $LANG12, $LANG_LOGIN;
$retval = '';
***************
*** 118,122 ****
function submitevent($mode = '', $month = '', $day = '', $year = '', $hour='')
{
! global $_CONF,$LANG12, $LANG30, $_STATES, $_USER;
$retval = '';
--- 117,121 ----
function submitevent($mode = '', $month = '', $day = '', $year = '', $hour='')
{
! global $_CONF, $_USER, $LANG12, $LANG30, $_STATES;
$retval = '';
***************
*** 142,152 ****
$eventform->set_var('lang_personalcalendar',$LANG12[40]);
if ($mode == 'personal') {
! $eventform->set_var('personal_option', '<option value="personal" selected="SELECTED">' . $LANG12[40] . '</option>');
} else {
$eventform->set_var('personal_option', '<option value="personal">' . $LANG12[40] . '</option>');
! $eventform->set_var('master_checked', 'selected="SELECTED"');
}
} else {
! $eventform->set_var('master_checked', 'selected="SELECTED"');
$eventform->set_var('personal_option', '');
}
--- 141,151 ----
$eventform->set_var('lang_personalcalendar',$LANG12[40]);
if ($mode == 'personal') {
! $eventform->set_var('personal_option', '<option value="personal" selected="selected">' . $LANG12[40] . '</option>');
} else {
$eventform->set_var('personal_option', '<option value="personal">' . $LANG12[40] . '</option>');
! $eventform->set_var('master_checked', 'selected="selected"');
}
} else {
! $eventform->set_var('master_checked', 'selected="selected"');
$eventform->set_var('personal_option', '');
}
***************
*** 173,177 ****
$month_options .= '<option value="' . $mval . '" ';
if ($i == $month) {
! $month_options .= 'selected="SELECTED"';
}
$month_options .= '>' . $LANG30[$mval+12] . '</option>';
--- 172,176 ----
$month_options .= '<option value="' . $mval . '" ';
if ($i == $month) {
! $month_options .= 'selected="selected"';
}
$month_options .= '>' . $LANG30[$mval+12] . '</option>';
***************
*** 187,191 ****
$day_options .= '<option value="' . $dval . '" ';
if ($i == $day) {
! $day_options .= 'selected="SELECTED"';
}
$day_options .= '>' . $dval . '</option>';
--- 186,190 ----
$day_options .= '<option value="' . $dval . '" ';
if ($i == $day) {
! $day_options .= 'selected="selected"';
}
$day_options .= '>' . $dval . '</option>';
***************
*** 205,209 ****
$year_options .= '<option value="' . $i . '" ';
if ($i == $year) {
! $year_options .= 'selected="SELECTED"';
}
$year_options .= '>' . $i . '</option>';
--- 204,208 ----
$year_options .= '<option value="' . $i . '" ';
if ($i == $year) {
! $year_options .= 'selected="selected"';
}
$year_options .= '>' . $i . '</option>';
***************
*** 221,225 ****
$hour_options .= '<option value="12" ';
if ($cur_hour == 12) {
! $hour_options .= 'selected="SELECTED"';
}
$hour_options .= '>12</option>';
--- 220,224 ----
$hour_options .= '<option value="12" ';
if ($cur_hour == 12) {
! $hour_options .= 'selected="selected"';
}
$hour_options .= '>12</option>';
***************
*** 227,238 ****
$hour_options .= '<option value="' . $hval . '" ';
if ($cur_hour == $i) {
! $hour_options .= 'selected="SELECTED"';
}
$hour_options .= '>' . $i . '</option>';
}
if ($hour >= 12) {
! $eventform->set_var('pm_selected','selected="SELECTED"');
} else {
! $eventform->set_var('am_selected','selected="SELECTED"');
}
$eventform->set_var('hour_options', $hour_options);
--- 226,237 ----
$hour_options .= '<option value="' . $hval . '" ';
if ($cur_hour == $i) {
! $hour_options .= 'selected="selected"';
}
$hour_options .= '>' . $i . '</option>';
}
if ($hour >= 12) {
! $eventform->set_var('pm_selected','selected="selected"');
} else {
! $eventform->set_var('am_selected','selected="selected"');
}
$eventform->set_var('hour_options', $hour_options);
***************
*** 250,254 ****
$state_options .= '<option value="' . key($_STATES) . '" ';
if (key($_STATES) == $cur_state) {
! $state_options .= 'selected="SELECTED"';
}
$state_options .= '>' . current($_STATES) . '</option>';
--- 249,253 ----
$state_options .= '<option value="' . key($_STATES) . '" ';
if (key($_STATES) == $cur_state) {
! $state_options .= 'selected="selected"';
}
$state_options .= '>' . current($_STATES) . '</option>';
***************
*** 304,308 ****
function submitstory($topic = '')
{
! global $_TABLES, $HTTP_POST_VARS, $_CONF, $LANG12, $_USER;
if ($HTTP_POST_VARS['mode'] == $LANG12[32]) { // preview
--- 303,307 ----
function submitstory($topic = '')
{
! global $_CONF, $_TABLES, $_USER, $HTTP_POST_VARS, $LANG12;
if ($HTTP_POST_VARS['mode'] == $LANG12[32]) { // preview
***************
*** 310,317 ****
} else {
$A['sid'] = COM_makeSid();
! if (empty ($_USER['username'])) {
! $A['uid'] = 1;
! } else {
$A['uid'] = $_USER['uid'];
}
$A['unixdate'] = time();
--- 309,316 ----
} else {
$A['sid'] = COM_makeSid();
! if (isset ($_USER['uid']) && ($_USER['uid'] > 1)) {
$A['uid'] = $_USER['uid'];
+ } else {
+ $A['uid'] = 1;
}
$A['unixdate'] = time();
***************
*** 506,510 ****
function savesubmission($type,$A)
{
! global $_TABLES, $LANG12, $_USER, $REMOTE_ADDR, $_CONF;
switch ($type) {
--- 505,509 ----
function savesubmission($type,$A)
{
! global $_CONF, $_TABLES, $_USER, $LANG12;
switch ($type) {
***************
*** 542,556 ****
COM_updateSpeedlimit ('submit');
if (($_CONF['linksubmission'] == 1) && !SEC_hasRights('link.submit')) {
! $result = DB_save($_TABLES['linksubmission'],'lid,category,url,description,title,date',"{$A["lid"]},'{$A["category"]}','{$A["url"]}','{$A["description"]}','{$A['title']}',NOW()",$_CONF['site_url']."/index.php?msg=3");
if (isset ($_CONF['notification']) && in_array ('link', $_CONF['notification'])) {
sendNotification ($_TABLES['linksubmission'], $A);
}
} else { // add link directly
! if (empty ($_USER['username'])) { // anonymous user
! $owner_id = 1;
! } else {
$owner_id = $_USER['uid'];
}
! $result = DB_save($_TABLES['links'],'lid,category,url,description,title,date,owner_id', "{$A["lid"]},'{$A["category"]}','{$A["url"]}','{$A["description"]}','{$A['title']}',NOW(),$owner_id", $_CONF['site_url'] . '/links.php');
if (isset ($_CONF['notification']) && in_array ('link', $_CONF['notification'])) {
sendNotification ($_TABLES['links'], $A);
--- 541,555 ----
COM_updateSpeedlimit ('submit');
if (($_CONF['linksubmission'] == 1) && !SEC_hasRights('link.submit')) {
! $result = DB_save($_TABLES['linksubmission'],'lid,category,url,description,title,date',"{$A['lid']},'{$A['category']}','{$A['url']}','{$A['description']}','{$A['title']}',NOW()",$_CONF['site_url'].'/index.php?msg=3');
if (isset ($_CONF['notification']) && in_array ('link', $_CONF['notification'])) {
sendNotification ($_TABLES['linksubmission'], $A);
}
} else { // add link directly
! if (isset ($_USER['uid']) && ($_USER['uid'] > 1)) {
$owner_id = $_USER['uid'];
+ } else {
+ $owner_id = 1; // anonymous user
}
! $result = DB_save($_TABLES['links'],'lid,category,url,description,title,date,owner_id', "{$A['lid']},'{$A['category']}','{$A['url']}','{$A['description']}','{$A['title']}',NOW(),$owner_id", $_CONF['site_url'] . '/links.php');
if (isset ($_CONF['notification']) && in_array ('link', $_CONF['notification'])) {
sendNotification ($_TABLES['links'], $A);
***************
*** 568,572 ****
}
break;
! case "event":
if (!empty($A['title']) && (!empty($A['start_month']) AND !empty($A['start_day']) AND !empty($A['start_year']))) {
$A['datestart'] = $A['start_year'] . '-' . $A['start_month'] . '-' . $A['start_day'];
--- 567,571 ----
}
break;
! case 'event':
if (!empty($A['title']) && (!empty($A['start_month']) AND !empty($A['start_day']) AND !empty($A['start_year']))) {
$A['datestart'] = $A['start_year'] . '-' . $A['start_month'] . '-' . $A['start_day'];
***************
*** 633,640 ****
}
} else {
! if (empty ($_USER['username'])) { // anonymous user
! $owner_id = 1;
! } else {
$owner_id = $_USER['uid'];
}
$result = DB_save($_TABLES['events'],'eid,title,event_type,url,datestart,timestart,dateend,timeend,allday,location,address1,address2,city,state,zipcode,description,owner_id',"{$A['eid']},'{$A['title']}','{$A['event_type']}','{$A['url']}','{$A['datestart']}','{$A['timestart']}','{$A['dateend']}','{$A['timeend']}',{$A['allday']},'{$A['location']}','{$A['address1']}','{$A['address2']}','{$A['city']}','{$A['state']}','{$A['zipcode']}','{$A['description']}',$owner_id", $_CONF['site_url'] . '/calendar.php');
--- 632,639 ----
}
} else {
! if (isset ($_USER['uid']) && ($_USER['uid'] > 1)) {
$owner_id = $_USER['uid'];
+ } else {
+ $owner_id = 1; // anonymous user
}
$result = DB_save($_TABLES['events'],'eid,title,event_type,url,datestart,timestart,dateend,timeend,allday,location,address1,address2,city,state,zipcode,description,owner_id',"{$A['eid']},'{$A['title']}','{$A['event_type']}','{$A['url']}','{$A['datestart']}','{$A['timestart']}','{$A['dateend']}','{$A['timeend']}',{$A['allday']},'{$A['location']}','{$A['address1']}','{$A['address2']}','{$A['city']}','{$A['state']}','{$A['zipcode']}','{$A['description']}',$owner_id", $_CONF['site_url'] . '/calendar.php');
***************
*** 645,652 ****
}
} else {
! if (empty($A['uid'])) {
$A['uid'] = $_USER['uid'];
}
! $result = DB_save($_TABLES['personal_events'],'uid,eid,title,event_type,url,datestart,timestart,dateend,timeend,allday,location,address1,address2,city,state,zipcode,description',"{$A['uid']},'{$A['eid']}','{$A['title']}','{$A['event_type']}','{$A['url']}','{$A['datestart']}','{$A['timestart']}','{$A['dateend']}','{$A['timeend']}',{$A['allday']},'{$A['location']}','{$A['address1']}','{$A['address2']}','{$A['city']}','{$A['state']}','{$A['zipcode']}','{$A['description']}'",$_CONF['site_url']."/calendar.php?mode=personal&msg=4");
}
--- 644,655 ----
}
} else {
! if (isset ($_USER['uid']) && ($_USER['uid'] > 1)) {
$A['uid'] = $_USER['uid'];
+ } else {
+ // anonymous users don't have personal calendars - bail
+ COM_accessLog ("Attempt to write to the personal calendar of user {$A['uid']}.");
+ return COM_refresh ($_CONF['site_url'] . '/calendar.php');
}
! $result = DB_save($_TABLES['personal_events'],'uid,eid,title,event_type,url,datestart,timestart,dateend,timeend,allday,location,address1,address2,city,state,zipcode,description',"{$A['uid']},'{$A['eid']}','{$A['title']}','{$A['event_type']}','{$A['url']}','{$A['datestart']}','{$A['timestart']}','{$A['dateend']}','{$A['timeend']}',{$A['allday']},'{$A['location']}','{$A['address1']}','{$A['address2']}','{$A['city']}','{$A['state']}','{$A['zipcode']}','{$A['description']}'",$_CONF['site_url'].'/calendar.php?mode=personal&msg=4');
}
***************
*** 668,676 ****
// see if this is a submission that needs to be handled by a plugin
! // and should include it's own redirect
if (!PLG_saveSubmission($type, $A)) {
COM_errorLog("Could not save your submission. Bad type: $type");
}
! // plugin should include it's own redirect - but in case handle
// it here and redirect to the main page
$retval = COM_refresh ($_CONF['site_url'] . '/index.php');
--- 671,679 ----
// see if this is a submission that needs to be handled by a plugin
! // and should include its own redirect
if (!PLG_saveSubmission($type, $A)) {
COM_errorLog("Could not save your submission. Bad type: $type");
}
! // plugin should include its own redirect - but in case handle
// it here and redirect to the main page
$retval = COM_refresh ($_CONF['site_url'] . '/index.php');
***************
*** 688,711 ****
}
$A['sid'] = COM_makeSid();
! if (empty($_USER['uid'])) {
! $_USER['uid'] = 1;
}
COM_updateSpeedlimit ('submit');
if (($_CONF['storysubmission'] == 1) && !SEC_hasRights('story.submit')) {
! DB_save($_TABLES['storysubmission'],"sid,tid,uid,title,introtext,date,postmode","{$A["sid"]},'{$A["tid"]}',{$_USER['uid']},'{$A['title']}','{$A["introtext"]}',NOW(),'{$A["postmode"]}'",$_CONF['site_url']."/index.php?msg=2");
if (isset ($_CONF['notification']) && in_array ('story', $_CONF['notification'])) {
- $A['uid'] = $_USER['uid'];
sendNotification ($_TABLES['storysubmission'], $A);
}
} else { // post this story directly
! $result = DB_query ("SELECT * FROM {$_TABLES['topics']} where tid='{$A["tid"]}'");
$T = DB_fetchArray ($result);
! $related = addslashes (COM_whatsRelated ($introtext, $_USER['uid'], $A['tid']));
! DB_save ($_TABLES['stories'], 'sid,uid,tid,title,introtext,related,date,commentcode,postmode,owner_id,group_id,perm_owner,perm_group,perm_members,perm_anon', "{$A["sid"]},{$_USER['uid']},'{$A["tid"]}','{$A['title']}','{$A["introtext"]}','{$related}',NOW(),{$_CONF['comment_code']},'{$A["postmode"]}',{$_USER['uid']},{$T['group_id']},{$T['perm_owner']},{$T['perm_group']},{$T['perm_members']},{$T['perm_anon']}");
COM_rdfUpToDateCheck ();
COM_olderStuff ();
if (isset ($_CONF['notification']) && in_array ('story', $_CONF['notification'])) {
- $A['uid'] = $_USER['uid'];
sendNotification ($_TABLES['stories'], $A);
}
--- 691,714 ----
}
$A['sid'] = COM_makeSid();
! if (isset ($_USER['uid']) && ($_USER['uid'] > 1)) {
! $A['uid'] = $_USER['uid'];
! } else {
! $A['uid'] = 1;
}
COM_updateSpeedlimit ('submit');
if (($_CONF['storysubmission'] == 1) && !SEC_hasRights('story.submit')) {
! DB_save($_TABLES['storysubmission'],"sid,tid,uid,title,introtext,date,postmode","{$A['sid']},'{$A['tid']}',{$A['uid']},'{$A['title']}','{$A['introtext']}',NOW(),'{$A['postmode']}'",$_CONF['site_url'].'/index.php?msg=2');
if (isset ($_CONF['notification']) && in_array ('story', $_CONF['notification'])) {
sendNotification ($_TABLES['storysubmission'], $A);
}
} else { // post this story directly
! $result = DB_query ("SELECT * FROM {$_TABLES['topics']} WHERE tid='{$A['tid']}'");
$T = DB_fetchArray ($result);
! $related = addslashes (COM_whatsRelated ($introtext, $A['uid'], $A['tid']));
! DB_save ($_TABLES['stories'], 'sid,uid,tid,title,introtext,related,date,commentcode,postmode,owner_id,group_id,perm_owner,perm_group,perm_members,perm_anon', "{$A['sid']},{$A['uid']},'{$A['tid']}','{$A['title']}','{$A['introtext']}','{$related}',NOW(),{$_CONF['comment_code']},'{$A['postmode']}',{$A['uid']},{$T['group_id']},{$T['perm_owner']},{$T['perm_group']},{$T['perm_members']},{$T['perm_anon']}");
COM_rdfUpToDateCheck ();
COM_olderStuff ();
if (isset ($_CONF['notification']) && in_array ('story', $_CONF['notification'])) {
sendNotification ($_TABLES['stories'], $A);
}
***************
*** 731,747 ****
$display .= COM_siteHeader();
! $mode = '';
! if (isset ($HTTP_POST_VARS['mode'])) {
! $mode = COM_applyFilter ($HTTP_POST_VARS['mode']);
! } else if (isset ($HTTP_GET_VARS['mode'])) {
! $mode = COM_applyFilter ($HTTP_GET_VARS['mode']);
}
! $type = '';
! if (isset ($HTTP_POST_VARS['type'])) {
! $type = COM_applyFilter ($HTTP_POST_VARS['type']);
! } else if (isset ($HTTP_GET_VARS['type'])) {
! $type = COM_applyFilter ($HTTP_GET_VARS['type']);
! }
if ($mode == $LANG12[8]) { // submit
--- 734,745 ----
$display .= COM_siteHeader();
! if (isset ($HTTP_POST_VARS['mode']) || isset ($HTTP_POST_VARS['type'])) {
! $http_vars = $HTTP_POST_VARS;
! } else {
! $http_vars = $HTTP_GET_VARS;
}
! $mode = COM_applyFilter ($http_vars['mode']);
! $type = COM_applyFilter ($http_vars['type']);
if ($mode == $LANG12[8]) { // submit
***************
*** 776,779 ****
--- 774,783 ----
break;
}
+
+ $year = COM_applyFilter ($http_vars['year'], true);
+ $month = COM_applyFilter ($http_vars['month'], true);
+ $day = COM_applyFilter ($http_vars['day'], true);
+ $hour = COM_applyFilter ($http_vars['hour'], true);
+ $topic = COM_applyFilter ($http_vars['topic']);
$display .= submissionform($type, $mode, $month, $day, $year, $hour, $topic);
More information about the geeklog-cvs
mailing list