[Astrospaces-commits] SF.net SVN: astrospaces: [39] trunk
Brought to you by:
p3net
Menu
▾
▴
[Astrospaces-commits] SF.net SVN: astrospaces: [39] trunk
|
From: <cal...@us...> - 2007-07-30 17:26:19
|
Revision: 39
http://astrospaces.svn.sourceforge.net/astrospaces/?rev=39&view=rev
Author: caleb870
Date: 2007-07-30 10:26:15 -0700 (Mon, 30 Jul 2007)
Log Message:
-----------
Major revision: Changed all calls to the database through ADOdb. Also fixed over 40 typos, syntax errors, and bugs in the process, and changed calls to the template system (still needs work).
Modified Paths:
--------------
trunk/config.php
trunk/functions/session.php
trunk/gallery.php
trunk/globals.php
trunk/images.php
trunk/index.php
trunk/profile.php
Modified: trunk/config.php
===================================================================
--- trunk/config.php 2007-07-30 04:57:52 UTC (rev 38)
+++ trunk/config.php 2007-07-30 17:26:15 UTC (rev 39)
@@ -23,14 +23,16 @@
define('AS_TBL_USER', AS_DB_PREFIX.'user');
define('AS_TBL_BLOG', AS_DB_PREFIX.'blog');
define('AS_TBL_BLOG_CMT', AS_DB_PREFIX.'blog_comments');
-define('AS_TBL_FRIEND', AS_DB_PREFIX.'friend');
+define('AS_TBL_FRIEND', AS_DB_PREFIX.'friends');
define('AS_TBL_IMG', AS_DB_PREFIX.'images');
define('AS_TBL_IMG_CMT', AS_DB_PREFIX.'image_comments');
define('AS_TBL_ACTION', AS_DB_PREFIX.'actions');
define('AS_TBL_CMT', AS_DB_PREFIX.'comments');
define('AS_TBL_SESSION', AS_DB_PREFIX.'sessions');
-define('AS_TBL_PM', AS_DB_PREFIX.'pm');
+define('AS_TBL_PM', AS_DB_PREFIX.'private_messages');
define('AS_DIR_TPL', 'template/');
-define('AS_TPL', AS_LOC_URL.AS_DIR_TPL);
+define('AS_TPL', AS_LOC_URL.AS_DIR_TPL.'default/');
+
+
?>
\ No newline at end of file
Modified: trunk/functions/session.php
===================================================================
--- trunk/functions/session.php 2007-07-30 04:57:52 UTC (rev 38)
+++ trunk/functions/session.php 2007-07-30 17:26:15 UTC (rev 39)
@@ -36,9 +36,13 @@
/* We don't have a session and aren't logged in. Let's create it */
$id = md5(time() . rand(1,1000));
/* Check to make sure it's unique */
- $_query="INSERT INTO `sessions` VALUES('" . $id . "', '-1', '" . $REMOTE_ADDR . "', '" . time() . "')";
- $db->query($_query);
- $_COOKIE["session_id"] = $id;
+ $_query = 'INSERT INTO '.AS_TBL_SESSION.' (id, user_id, ip, last_update) VALUES(' . $id . ','.$db->qstr('-1').',' . $db->qstr($_SERVER['REMOTE_ADDR']) . ',' . time() . ')';
+ if ($db->Execute($_query) === false)
+ {
+ $error->general('<b>DB Error!</b>', 'session.php - create(): '.$db->ErrorMsg());
+ return false;
+ }
+ $_COOKIE['session_id'] = $id;
}
/*
Function Name: check
@@ -49,35 +53,48 @@
{
/* We need to check if a session exists by looking for the session cookie. If that's not there,
then we return false (since the user isn't logged in). We also match the IP */
- $ip = $REMOTE_ADDR;
- $_query = "SELECT * FROM `sessions` WHERE `ip` = '" . $ip . "'";
- $res = $db->query($_query);
- if(mysql_num_rows($res) == 0)
+ $ip = $_SERVER['REMOTE_ADDR'];
+ $_query = 'SELECT * FROM '.AS_TBL_SESSION.' WHERE ip = ' . $db->qstr($ip);
+ $res = $db->Execute($_query);
+ $count = $res->RecordCount();
+ if($count == 0)
{
- $session->create();
+ $session->create();
}
else
{
- /* Get an array of our session info */
- $res = $db->fetch_array($res);
- if($res['id'] != $_COOKIE["session_id"])
- {
- $session->create();
- }
- else
- {
- foreach($res as $key => $value)
- {
- $user->data[$key] = $value;
- }
- /* Update our updated time */
- $_query="UPDATE `sessions` SET `last_update` = '" . time() . "' WHERE `id` = '" . $user->data['id'] . "' LIMIT 1";
- $db->query($_query);
- }
- }
+ /* Get an array of our session info */
+ $res = $res->GetArray();
+ if($res[0]['id'] != $_COOKIE['session_id'])
+ {
+ $session->create();
+ }
+ else
+ {
+ $array = $res->GetArray();
+ foreach($array[0] as $key => $value)
+ {
+ if (!is_numeric($key))
+ {
+ $user->data[$key] = $value;
+ }
+ }
+ /* Update our updated time */
+ $_query = 'UPDATE '.AS_TBL_SESSION.' SET last_update = ' . time() . ' WHERE id = ' . $user->data['id'] . ' LIMIT 1';
+ if ($db->Execute($_query) === false)
+ {
+ $error->general('<b>DB Error!</b>', 'session.php - check(): '.$db->ErrorMsg());
+ return false;
+ }
+ }
+ }
/* We also need to get rid of users who haven't done anything in the last half-hour */
- $_query = "DELETE * FROM `sessions` WHERE `last_update` < " . (time() - (60*30));
- $db->query($_query);
+ $_query = 'DELETE FROM '.AS_TBL_SESSION.' WHERE last_update < ' . (time() - (60*30));
+ if ($db->Execute($_query) === false)
+ {
+ $error->general('<b>DB Error!</b>', 'session.php - check(): '.$db->ErrorMsg());
+ return false;
+ }
}
/*
Function Name: logged_in
@@ -102,18 +119,27 @@
*/
function login($user_id)
{
+ if (!is_numeric($user_id) and $user_id != null)
+ {
+ $error->general('Invalid userID', "Invalid userID = Possible hack! Input value: \"".$user_id."\" User Hostname: ".$_SERVER['REMOTE_ADDR']);
+ return false;
+ }
$session->check();
if($session->logged_in())
{
- /* Wait - what? */
- $error->general("Already logged in", "Session already populated");
+ /* Wait - what? */
+ $error->general("Already logged in", "Session already populated");
}
else
{
- $_query = "UPDATE `sessions` SET `user_id` = '" . $user_id . "' WHERE `id` = '" . $_COOKIE["session_id"] . " LIMIT 1";
- $db->query($_query);
- /* Run the session check again. It'll make the row and populate $user->data */
- $session->check();
+ $_query = 'UPDATE '.AS_TBL_SESSION.' SET user_id = ' . $user_id . ' WHERE id = ' . $db->qstr($_COOKIE["session_id"]) . ' LIMIT 1';
+ if ($db->Execute($_query) === false)
+ {
+ $error->general('<b>DB Error!</b>', 'session.php - login(): '.$db->ErrorMsg());
+ return false;
+ }
+ /* Run the session check again. It'll make the row and populate $user->data */
+ $session->check();
}
}
/*
@@ -125,13 +151,13 @@
{
if($session->logged_in())
{
- $_query = "UPDATE `sessions` SET `user_id` = '-1' WHERE `id` = '" . $user->data['id'] . "' AND `ip` = '" . $user->data['ip'] . "' LIMIT 1";
- $db->query($_query);
- $user->data = null;
+ $_query = 'UPDATE '.AS_TBL_SESSION.' SET user_id = '.$db->qstr('-1').' WHERE id = ' . $user->data['id'] . ' AND ip = ' . $db->qstr($user->data['ip']) . ' LIMIT 1';
+ $db->query($_query);
+ $user->data = null;
}
else
{
- $error->general('Not logged in', 'User ID = -1');
+ $error->general('Not logged in', 'User ID = -1');
}
}
/*
@@ -141,31 +167,36 @@
*/
function is_friend($id)
{
+ if (!is_numeric($id))
+ {
+ $error->general('Invalid userID', "Invalid userID = Possible hack! Input value: \"".$id."\" User Hostname: ".$_SERVER['REMOTE_ADDR']);
+ return false;
+ }
if(!$user->logged_in())
{
- return false;
+ return false;
}
else
{
- $_query = "SELECT * FROM `friends` WHERE `party_1` = '" . $user->data['user_id'] . "' AND AND `party_2`='" . $id . "' AND `accepted`='1'";
- $_query = $db->query($_query);
- if(mysql_num_rows($_query) > 0)
+ $_query = 'SELECT count(*) FROM '.AS_TBL_FRIEND.' WHERE party_1 = ' . $user->data['user_id'] . ' AND party_2 = ' . $id . ' AND accepted = 1';
+ $_query = $db->Execute($_query);
+ if($_query->fields[0] > 0)
+ {
+ return true;
+ }
+ else
+ {
+ $_query = 'SELECT count(*) FROM '.AS_TBL_FRIEND.' WHERE party_2 = ' . $user->data['user_id'] . ' AND party_1 = ' . $id . ' AND accepted = 1';
+ $_query = $db->Execute($_query);
+ if($_query->fields[0] > 0)
{
- return true;
+ return true;
}
else
{
- $_query = "SELECT * FROM `friends` WHERE `party_2` = '" . $user->data['user_id'] . "' AND `party_1`='" . $id . "' AND `accepted`='1'";
- $_query = $db->query($_query);
- if(mysql_num_rows($_query) > 0)
- {
- return true;
- }
- else
- {
- return false;
- }
+ return false;
}
+ }
}
}
/*
@@ -173,8 +204,18 @@
Arguments: (int) action -- Add action to action table; (int) who -- ID of friend action is made towards. If unspecified, applies to all
Purpose:
*/
- function action($action, $who="")
+ function action($action, $who = null)
{
+ if (!is_numeric($action) and $action != null)
+ {
+ $error->general('Invalid actionID', "Invalid actionID = Possible hack! Input value: \"".$action."\" User Hostname: ".$_SERVER['REMOTE_ADDR']);
+ return false;
+ }
+ if (!is_numeric($who) and $who != null)
+ {
+ $error->general('Invalid whoID', "Invalid whoID = Possible hack! Input value: \"".$who."\" User Hostname: ".$_SERVER['REMOTE_ADDR']);
+ return false;
+ }
/*List of actions:
1. Updated Space
2. Left you a comment
@@ -185,7 +226,7 @@
7. Left you a comment on a blog post
8. Joined a group
9. Created a group */
- $_query="INSERT INTO `actions` VALUES('" . time() . "', '" . $user->data['user_id'] . "', '" . $action . "', '" . $who . "')";
+ $_query = 'INSERT INTO '.AS_TBL_ACTION.' (time, who, action, for) VALUES(' . time() . ',' . $user->data['user_id'] . ', ' . $action . ', ' . $who . ')';
$db->query($_query);
return true;
}
@@ -196,39 +237,48 @@
*/
function add_friend($id)
{
+ if (!is_numeric($id) and $id != null)
+ {
+ $error->general('Invalid friendID', "Invalid friendID = Possible hack! Input value: \"".$action."\" User Hostname: ".$_SERVER['REMOTE_ADDR']);
+ return false;
+ }
+
if(!$user->logged_in())
{
- $error->general("Not logged in", "Add as friend");
+ $error->general("Not logged in", "Add as friend");
}
else
{
- if($user->is_friend($id))
+ if($user->is_friend($id))
+ {
+ $error->general("Already friend", "Add as friend");
+ }
+ else
+ {
+ $_query = 'SELECT count(*) FROM '.AS_TBL_FRIEND.' WHERE (party_1 = ' . $user->data['user_id'] . ' AND party_2 = ' . $id;
+ $_query = $db->query($_query);
+ if ($_query->fields[0] > 0)
{
- $error->general("Already friend", "Add as friend");
- }
+ $error->general("Already added as friend, awaiting acception", "Add as friend");
+ }
else
{
- $_query = "SELECT * FROM `friends` WHERE `party_1`='" . $user->data['user_id'] . " AND `party_2`='" . $id . "'";
- $_query=$db->query($_query);
- if(mysql_num_rows($_query) > 0)
- {
- $error->general("Already added as friend, awaiting acception", "Add as friend");
- }
- else
- {
- $_query = "SELECT * FROM `friends` WHERE `party_2`='" . $user->data['user_id'] . " AND `party_1`='" . $id . "'";
- $_query=$db->query($_query);
- if(mysql_num_rows($_query) > 0)
- {
- $error->general("User has already added you as a friend. Accept them in your friend control panel.", "Add as friend");
- }
- else
- {
- $_query="INSERT INTO `friends` VALUES('" . $user->data['user_id'] . "', '" . $id . "', '0'";
- $db->query($_query);
- $message->thank("adding this user as your friend. You will be alerted when they accept you as a friend.", "to go back", "javascript:history.go(-1)");
- }
- }
+ $_query = 'SELECT count(*) FROM '.AS_TBL_FRIEND.' WHERE party_2 = ' . $user->data['user_id'] . ' AND party_1 = ' . $id;
+ $_query = $db->Execute($_query);
+ if ($_query->fields[0] > 0)
+ {
+ $error->general("User has already added you as a friend. Accept them in your friend control panel.", "Add as friend");
+ }
+ else
+ {
+ $_query='INSERT INTO '.AS_TBL_FRIEND.' VALUES(' . $user->data['user_id'] . ',' . $id . ',0)';
+ if ($db->Execute($_query) === false)
+ {
+ $error->general('<b>DB Error!</b>', 'session.php - add_friend(): '.$db->ErrorMsg());
+ return false;
+ }
+ $message->thank("adding this user as your friend. You will be alerted when they accept you as a friend.", "to go back", "javascript:history.go(-1)");
+ }
}
}
}
@@ -239,7 +289,12 @@
*/
function accept_friend($id)
{
- $_query="UPDATE `friends` SET `accepted`='1' WHERE `party_2`='" . $data->user['user_id'] . "' AND `party_1='" . $id . "' LIMIT 1";
+ if (!is_numeric($id) and $id != null)
+ {
+ $error->general('Invalid friendID', "Invalid friendID = Possible hack! Input value: \"".$action."\" User Hostname: ".$_SERVER['REMOTE_ADDR']);
+ return false;
+ }
+ $_query= 'UPDATE '.AS_TBL_FRIEND.' SET accepted = 1 WHERE party_2 = '.$data->user['user_id'].' AND party_1 = '.$id.' LIMIT 1';
$db->query($_query);
$user->action(5, $id);
}
@@ -250,10 +305,15 @@
*/
function can_view($id)
{
+ if (!is_numeric($id) and $id != null)
+ {
+ $error->general('Invalid friendID', "Invalid friendID = Possible hack! Input value: \"".$action."\" User Hostname: ".$_SERVER['REMOTE_ADDR']);
+ return false;
+ }
/*We're simply checking whether or not we have the permissions to view this space */
/*First we need to figure out what the space privacy setting is*/
- $_query="SELECT `privacy` FROM `users` WHERE `id`='" . $id . "' LIMIT 1";
- $_query=$db->query($_query);
+ $_query = 'SELECT privacy FROM '.AS_TBL_USER.' WHERE id = ' . $id . ' LIMIT 1';
+ $_query = $db->Execute($_query);
$_query=$db->fetch_array($_query);
$res=$_query['privacy'];
if($res == '0')
Modified: trunk/gallery.php
===================================================================
--- trunk/gallery.php 2007-07-30 04:57:52 UTC (rev 38)
+++ trunk/gallery.php 2007-07-30 17:26:15 UTC (rev 39)
@@ -18,6 +18,7 @@
@id: $Id$
*********************************************************/
+
class gallery
{
/*
@@ -35,11 +36,11 @@
{
if($session->is_friend($id))
{
- $_query="SELECT `id` FROM `images` WHERE `owner`='" . $id . "'";
- $_query=$db->query($_query);
- $_query=$db->fetch_array($_query);
- $gallery =& new template('gallery.tpl');
- $gallery->set('gallery', $_query);
+ $_query = 'SELECT id FROM '.AS_TBL_IMG.' WHERE owner = '.$db->qstr($id,get_magic_quotes_gpc());
+ $_query = $db->Execute($_query);
+ $_query = $db->GetArray($_query);
+ $gallery = new template(AS_DIR_TPL.'gallery.tpl');
+ $gallery->set_var('gallery', $_query);
}
}
}
@@ -48,46 +49,50 @@
Arguments: (int) img_id -- ID of image to view; (int) owner -- ID of image uploader
Purpose: View fullsize image/comments of specific image
*/
- function drill($img_id, $owner)
+ function drill( $img_id, $owner )
{
- if(empty($img_id))
+ if( empty( $img_id ) )
{
$error->general('An image must be specified', 'Tried to access drill without specifying image id');
}
else
{
- if($session->is_friend($owner))
+ if( $session->is_friend($owner) )
{
- $_query = "SELECT * FROM `images` WHERE `id`='" . $img_id . "'";
- $img = $db->query($_query);
+ $_query = 'SELECT * FROM '.AS_TBL_IMG.' WHERE id = '.$db->qstr($img_id,get_magic_quotes_gpc());
+ $img = $db->Execute( $_query );
- $_query = "SELECT * FROM `images_comments` WHERE `image`='" . $img_id . "'";
- $img_com = $db->query($_query);
+ $_query = 'SELECT * FROM '.AS_TBL_IMG_CMT.' WHERE image = '.$db->qstr($img_id,get_magic_quotes_gpc());
+ $img_com = $db->Execute( $_query );
- foreach($db->fetch_array($img_com) as $key => $value)
+ $count = $img_com->RecordCount();
+ for ($i = 0; $i < $count; $i++) /* What? */
{
foreach($value as $key_name => $key_value)
{
- if($key_value == 'author')
+ if ($key_value == 'author')
{
$key_value = $session->get_username($key_value);
}
$com[$key_name] = $key_value;
}
+ $img_con->MoveNext();
}
- $img=$db->fetch_array($img);
- if(isset($user->data['user_id'] && $user->data['user_id'] != $img['owner'])
+ $img_com->Close();
+ $img = $img->GetArray();
+
+ if ( isset($user->data['user_id']) and $user->data['user_id'] != $img['owner'] )
{
$img['views']++;
- $_query="UPDATE `images` SET `views`='" . $views . "' WHERE `id`='" . $img_id . "'";
+ $_query = 'UPDATE '.AS_TBL_IMG." SET views = '" . $views . "' WHERE id = '" . $img_id . "'";
$db->query($_query);
}
- $drill =& new template('drill.tpl');
- $drill->set('id', $img_id);
- $drill->set('comments', $com);
- $drill->set('views', $img['views']);
- $drill->set('desc', $img['desc']);
- $drill->set('name', $img['name']);
+ $drill = new template(AS_TPL.'drill.tpl');
+ $drill->set_var('id', $img_id);
+ $drill->set_var('comments', $com);
+ $drill->set_var('views', $img['views']);
+ $drill->set_var('desc', $img['desc']);
+ $drill->set_var('name', $img['name']);
}
}
}
@@ -100,7 +105,7 @@
{
if($session->is_friend($owner))
{
- $form =& new template('forms/gallery_comment.tpl');
+ $form = new template(AS_TPL.'forms/gallery_comment.tpl');
}
}
/*
@@ -110,14 +115,16 @@
*/
function comment_process()
{
- $img_id=$_POST["id"];
+ $img_id = $_POST['id'];
$session->add_image_comment($img_id);
}
}
-$gallery =& new gallery;
+
+include('globals.php');
+$gallery =& new gallery();
$mode = empty($_GET["mode"]) ? 'view' : $_GET["mode"];
$id = empty($_GET["id"]) ? ($session->logged_in() ? $user->data['user_id'] : 0) : mysql_real_escape_string($_GET["id"]);
-switch $mode
+switch ($mode)
{
case 'view':
$gallery->view($id);
Modified: trunk/globals.php
===================================================================
--- trunk/globals.php 2007-07-30 04:57:52 UTC (rev 38)
+++ trunk/globals.php 2007-07-30 17:26:15 UTC (rev 39)
@@ -19,10 +19,12 @@
@id: $Id$
*********************************************************/
/* Include our larger functions */
-require_once('./functions/template.php');
-$template =& new template;
-require_once('./functions/session.php');
+require(AS_LOC_DIRECT.'config.php');
+require(AS_LOC_DIRECT.'functions/template.php');
+$template =& new template();
+require(AS_LOC_DIRECT.'functions/session.php');
$user =& new session();
+require(AS_LOC_DIRECT.'functions/adodb/adodb.inc.php');
/*The smaller ones*/
class error
@@ -34,7 +36,7 @@
*/
function general($err, $verbose)
{
- $error =& new template('messages/error.tpl');
+ $error =& new template(AS_TPL.'messages/error.tpl');
$error->set('err', $err);
$handle = fopen('logs/errors.txt', 'w');
if($handle)
@@ -59,19 +61,19 @@
*/
function thank($message, $go1, $res1, $go2="", $res2="")
{
- $message =& new template('message/thank.tpl');
- $message->set('go1', $go1);
- $message->set('go2', $go2);
- $message->set('res1', $res1);
- $message->set('res2', $res2);
- $message->set('message', $message);
+ $message =& new template(AS_TPL.'message/thank.tpl');
+ $message->set_var('go1', $go1);
+ $message->set_var('go2', $go2);
+ $message->set_var('res1', $res1);
+ $message->set_var('res2', $res2);
+ $message->set_var('message', $message);
}
}
-/* To satisfy ZDE */
-require_once('./functions/db.php');
-$db =& new db;
/* Our functions living in globals.php */
$error =& new error;
$message =& new message();
+
+$db =& new ADOConnection(AS_DB_TYPE);
+$db->Connect(AS_DB_HOST, AS_DB_USER, AS_DB_PASS, AS_DB_SCHEMA);
?>
\ No newline at end of file
Modified: trunk/images.php
===================================================================
--- trunk/images.php 2007-07-30 04:57:52 UTC (rev 38)
+++ trunk/images.php 2007-07-30 17:26:15 UTC (rev 39)
@@ -33,12 +33,13 @@
{
$error->general("Invalid ID specified", "Not an (int)");
}
- $_query = "SELECT * FROM `images` WHERE `id`='" . $id . "'";
- $img=$db->fetch_array($db->query($_query));
+ $_query = 'SELECT * FROM '.AS_TBL_IMG.' WHERE id = '.$db->qstr($id,get_magic_quotes_gpc());
+ $img = $db->Execute($_query);
+ $img = $img->GetArray();
- header('Content-type: ' . $img['mine_type']);
- header('Content-Disposition: attachment; filename=' . $img['name']);
- echo $img['content'];
+ header('Content-Type: ' . $img[0]['mime_type']);
+ header('Content-Disposition: attachment; filename=' . $img[0]['name']);
+ echo $img[0]['content'];
}
/*
Function Name: thumb
@@ -48,30 +49,31 @@
function thumb($id)
{
$id = is_numeric($_GET["id"]) ? $_GET["id"] : null;
- if(empty($id))
+ if(!empty($id))
{
$error->general("Invalid ID specified", "Not an (int)");
}
- $_query = "SELECT * FROM `images` WHERE `id`='" . $id . "'";
- $img=$db->fetch_array($db->query($_query));
+ $_query = 'SELECT * FROM '.AS_TBL_IMG.' WHERE id = '.$db->qstr($id,get_magic_quotes_gpc());
+ $_query = $db->Execute($_query);
+ $img = $db->GetArray($_query);
/* We're going to resize the larger dimension to 150px */
- if($img['width'] > $img['height'])
+ if($img[0]['width'] > $img[0]['height'])
{
- $scale_percentage = $img['width'] / 150;
+ $scale_percentage = $img[0]['width'] / 150;
}
else
{
- $scale_percentage = $img['height'] / 150;
+ $scale_percentage = $img[0]['height'] / 150;
}
$new_dimensions = array(
- 'width' => ($scale_percentage < 1) ? $img['width'] * $scale_percentage : $img['width'],
- 'height' => ($scale_percentage < 1) ? $img['height'] * $scale_percentage : $img['height']
+ 'width' => ($scale_percentage < 1) ? $img[0]['width'] * $scale_percentage : $img[0]['width'],
+ 'height' => ($scale_percentage < 1) ? $img[0]['height'] * $scale_percentage : $img[0]['height']
);
- header('Content-type: ' . $img['mine_type']);
- header('Content-Disposition: attachment; filename=' . $img['name']);
+ header('Content-Type: ' . $img[0]['mime_type']);
+ header('Content-Disposition: attachment; filename=' . $img[0]['name']);
- $type = explode("/", $img['mine_type']);
+ $type = explode("/", $img[0]['mine_type']);
$type = $type[1];
switch($type)
{
@@ -86,7 +88,7 @@
break;
}
$res = imagecreatetruecolor($new_dimensions['width'], $new_dimensions['height']);
- imagecopyresized($res, $new_image, 0, 0, 0, 0, $new_dimensions['width'], $new_dimensions['height'], $img['width'], $img['height']);
+ imagecopyresized($res, $new_image, 0, 0, 0, 0, $new_dimensions['width'], $new_dimensions['height'], $img[0]['width'], $img[0]['height']);
switch($type)
{
@@ -104,7 +106,7 @@
}
/* Actually handle the data here */
-$mode=empty($_GET["mode"]) ? '' : $_GET["mode"];
+$mode = empty($_GET["mode"]) ? '' : $_GET["mode"];
switch($mode)
{
case 'view':
Modified: trunk/index.php
===================================================================
--- trunk/index.php 2007-07-30 04:57:52 UTC (rev 38)
+++ trunk/index.php 2007-07-30 17:26:15 UTC (rev 39)
@@ -1,34 +1,34 @@
-<?php
-/*******************************************************
- * Copyright (C) 2007 http://p3net.net
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License along
- with this program; if not, write to the Free Software Foundation, Inc.,
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
- @id: $Id$
-*********************************************************/
-include('globals.php');
-/* 5 most recent users should be enough. We can fill the rest with ads or something */
-$_query = "SELECT `id`, `display_name`, `user_image` FROM `users` SORT BY `id` DESC LIMIT 5";
-$res = ($db->query($_query);
-while($user = $db->fetch_array($_query))
-{
- $userdetail[$user['display_name']] = array(
- 'id' => $user['id'],
- `icon` => $user['user_image']
- );
-}
-$index =& new template('home.tpl');
-$index->set('userdetail', $userdetail);
+<?php
+/*******************************************************
+ * Copyright (C) 2007 http://p3net.net
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write to the Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+ @id: $Id$
+*********************************************************/
+include('globals.php');
+/* 5 most recent users should be enough. We can fill the rest with ads or something */
+$_query = 'SELECT id, display_name, user_image FROM '.AS_TBL_USER.' SORT BY id DESC LIMIT 5';
+$_query = $db->Execute($_query);
+while($user = $_query->FetchRow())
+{
+ $userdetail[$user['display_name']] = array(
+ 'id' => $user['id'],
+ 'icon' => $user['user_image']
+ );
+}
+$index = template(AS_TPL.'home.tpl');
+$index->set_var('userdetail', $userdetail);
?>
\ No newline at end of file
Modified: trunk/profile.php
===================================================================
--- trunk/profile.php 2007-07-30 04:57:52 UTC (rev 38)
+++ trunk/profile.php 2007-07-30 17:26:15 UTC (rev 39)
@@ -31,18 +31,22 @@
$step = empty($_GET["step"]) ? '1' : $_GET["step"];
if($step == 1)
{
- $form =& new template('forms/register.tpl');
+ $form =& new template(AS_TPL.'forms/register.tpl');
}
else if($step == 2)
{
- foreach($_POST as $key => $value)
- {
- $vars[$key] = mysql_real_escape_string($value);
- }
- $_query = "INSERT INTO users (`id`, `display_name`, `password`, `join`, `time_offset` VALUES('', '" . $vars["display_name"] . "', '" .
- md5($vars["password"] . "', '" . time() . "', '" . $vars["offset"] . "')";
- $db->query($_query);
- $message->thank('for registering.', 'to proceed to the login page.', 'profile.php?mode=login');
+ $_query = 'INSERT INTO '.AS_TBL_USER.' (display_name, password, join, time_offset ';
+ $_query .= 'VALUES('.$db->qstr($vars["display_name"],get_magic_quotes_gpc()).',';
+ $_qeury .= $db->qstr(md5($vars["password"]),get_magic_quotes_gpc()).',';
+ $_query .= time().','.qstr($vars["offset"],get_magic_quotes_gpc()).')';
+
+ if ($db->Execute($_query) === false)
+ {
+ $error->general("<b>DB Error!</b>", $db->ErrorMsg());
+ return false;
+ } else {
+ $message->thank('for registering.', 'to proceed to the login page.', 'profile.php?mode=login');
+ }
}
}
/*
@@ -78,7 +82,7 @@
$step = empty($_GET["step"]) ? '1' : $_GET["step"];
if($step == 1)
{
- $form =& new template('forms/upload_pic.tpl');
+ $form =& new template(AS_TPL.'forms/upload_pic.tpl');
}
else
{
@@ -98,9 +102,14 @@
$content = addslashes($content);
fclose($fp);
- $_query="INSERT INTO `images` VALUES('', '" . $user->data["user_id"] . "', '" . $content . "', '" . $file_type . "', ''"
- . mysql_real_escape_string(htmlspecialchars($_POST["desc"])) "', '" . $width . "', '" . $height . ",'" . $file_name . "', '0');";
- $db->query($_query);
+ $_query = 'INSERT INTO '.AS_TBL_IMG.' (owner, content, mime_type, desc, width, height, name, views)'
+ .'VALUES('. $user->data["user_id"] . ',' . $db->qstr($content) . ',' . $db->qstr($file_type) . "', ''"
+ .$db->qstr(htmlspecialchars($_POST["desc"]),get_magic_quotes_gpc()).','.$width.','.$height.','.$db->qstr($file_name,get_magic_quotes_gpc()).", '0')";
+ if ($db->Execute($_query) === false)
+ {
+ $error->general("<b>DB Error!</b>", $db->ErrorMsg());
+ return false;
+ }
$user->action(4, '');
$message->thank('for uploading an image', 'go back to the previous page', 'javascript:history.go(\'-2\')');
@@ -116,21 +125,21 @@
$step = empty($_GET["step"]) ? '1' : $_GET["step"];
if($step == 1)
{
- $form =& new template('forms/login.tpl');
+ $form =& new template(AS_TPL.'forms/login.tpl');
}
else
{
foreach($_POST as $key => $value)
{
- $var[$key] = mysql_real_escape_string(htmlspecialchars($value));
+ $var[$key] = $db->qstr(htmlspecialchars($value),get_magic_quotes_gpc());
}
- $_query = "SELECT `id` FROM `users` WHERE `email` = '" . $var['email'] . "' AND `password` = '" . md5($var['password']) . "'";
- $_query = $db->query($_query);
- $num = mysql_num_rows($_query);
+ $_query = 'SELECT id FROM '.AS_TBL_USER.' WHERE email = ' . $var['email'] . ' AND password = ' . qstr(md5($var['password']));
+ $_query = $db->Execute($_query);
+ $num = $_query->RecordCount();
if($num > 0)
{
- $id = $db->fetch_array($_query);
- $session->login($id['id']);
+ $id = $_query->GetArray();
+ $session->login($id[0]['id']);
$message->thank('logging in', 'to return to the index', 'index.php');
}
else
@@ -146,42 +155,51 @@
*/
function inbox()
{
- $_query="SELECT `id`, `from`, `date`, `subject`, `read` FROM `private_messages` ORDER BY `id` DESC";
- $_query=$db->query($_query);
- $i=0;
- while($temp=$db->fetch_array($_query))
- {
- $pm[$i] = array(
- 'id' => $temp['id'],
- 'from' => $session->get_username($temp['from']),
- 'date' => $session->generate_timestamp($temp['date']),
- 'subject' => $temp['subject'],
- 'read' => $temp['read']
- );
- $i++;
- }
- $template =& new template('inbox.tpl');
- $template->set('pm', $pm);
+ $_query = 'SELECT id, from, date, subject, read FROM '.AS_TBL_PM.' ORDER BY id DESC';
+ $_query = $db->Execute($_query);
+ $count = $_query->RecordCount();
+ for ($i = 0; $i < $count; $i++)
+ {
+ $pm[$i] = array(
+ 'id' => $_query->Fields('id'),
+ 'from' => $session->get_username($_query->Fields('from')),
+ 'date' => $session->generate_timestamp($_query->Fields('date')),
+ 'subject' => $_query->Fields('subject'),
+ 'read' => $_query->Fields('read')
+ );
+ $_query->MoveNext();
+ }
+ $template =& new template(AS_TPL.'inbox.tpl');
+ $template->set_var('pm', $pm);
}
/*
Function Name: message
Arguments: (int) id -- Private message ID
Purpose: Display a private message
*/
- function message(mysql_real_escape_string($id))
+ function message($id)
{
- $_query="SELECT * FROM `private_messages` WHERE `id`='" . $id . "'";
- $_query=$db->query($_query);
- $arr=$db->fetch_array($_query);
- $read =& new template('read.tpl');
- $read->set('from', $session->get_username($arr["from"]));
- $read->set('date', $session->generate_timestamp($arr["date"]));
- $read->set('subject', $arr["subject"]);
- $read->set('message', $arr["message"]);
- if($arr["read"] != '1')
+ if (!is_numeric($id))
+ {
+ $error->general('Invalid userID', "Invalid userID = Possible hack! Input value: \"".$id."\" User Hostname: ".$_SERVER['REMOTE_ADDR']);
+ return false;
+ }
+ $_query = 'SELECT * FROM '.AS_TBL_PM.' WHERE id = ' . $id;
+ $_query = $db->Execute($_query);
+ $array = $db->GetArray($_query);
+ $read =& new template(AS_TPL.'read.tpl');
+ $read->set_var('from', $session->get_username($array[0]["from"]));
+ $read->set_var('date', $session->generate_timestamp($array[0]["date"]));
+ $read->set_var('subject', $array[0]["subject"]);
+ $read->set_var('message', $array[0]["message"]);
+ if($array[0]['read'] != '1')
{
- $_query="UPDATE `private_messages` SET `read`='1' WHERE `id`='" . $id . "'";
- $db->query($_query);
+ $_query = 'UPDATE '.AS_TBL_PM.' SET read = 1 WHERE id = ' . $id;
+ if ($db->Execute($_query) === false)
+ {
+ $error->general('<b>DB Error!</b>', $db->ErrorMsg());
+ return false;
+ }
}
}
/*
@@ -191,7 +209,7 @@
*/
function send()
{
- $template =& new template('send.tpl');
+ $template =& new template(AS_TPL.'send.tpl');
}
/*
Function Name: send_process
@@ -203,7 +221,7 @@
}
}
$profile =& new profile;
-switch $_GET["mode"]
+switch ($_GET["mode"])
{
case 'register':
$profile->register();
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
