From 4fa8d36ed5beaf7125083ec65b355f09a92621c2 Mon Sep 17 00:00:00 2001
From: rvelices <rv-github@modusoptimus.com>
Date: Wed, 1 Jul 2009 20:56:41 +0000
Subject: - remove warn on unset variable - insert_user_comment expects now the
 comment content to be sql safe (works now exactly as update_user_comment)

git-svn-id: http://piwigo.org/svn/trunk@3488 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 include/functions_comment.inc.php | 48 ++++++++++++++++++++-------------------
 1 file changed, 25 insertions(+), 23 deletions(-)

(limited to 'include/functions_comment.inc.php')

diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php
index 9b1d323a1..4d004589b 100644
--- a/include/functions_comment.inc.php
+++ b/include/functions_comment.inc.php
@@ -99,7 +99,7 @@ function insert_user_comment( &$comm, $key, &$infos )
       $query = '
 SELECT COUNT(*) AS user_exists
   FROM '.USERS_TABLE.'
-  WHERE '.$conf['user_fields']['username']." = '".addslashes($comm['author'])."'";
+  WHERE '.$conf['user_fields']['username']." = '".$comm['author']."'";
       $row = mysql_fetch_assoc( pwg_query( $query ) );
       if ( $row['user_exists'] == 1 )
       {
@@ -156,9 +156,9 @@ SELECT id FROM '.COMMENTS_TABLE.'
 INSERT INTO '.COMMENTS_TABLE.'
   (author, author_id, content, date, validated, validation_date, image_id)
   VALUES (
-    "'.addslashes($comm['author']).'",
+    "'.$comm['author'].'",
     '.$comm['author_id'].',
-    "'.addslashes($comm['content']).'",
+    "'.$comm['content'].'",
     NOW(),
     "'.($comment_action=='validate' ? 'true':'false').'",
     '.($comment_action=='validate' ? 'NOW()':'NULL').',
@@ -171,25 +171,25 @@ INSERT INTO '.COMMENTS_TABLE.'
     $comm['id'] = mysql_insert_id();
 
     if (($comment_action=='validate' and $conf['email_admin_on_comment']) or
-	($comment_action!='validate' 
+	($comment_action!='validate'
 	 and $conf['email_admin_on_comment_validation']))
     {
       include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
 
       $del_url = get_absolute_root_url().'comments.php?delete='.$comm['id'];
 
-      if (empty($comm['author'])) 
+      if (empty($comm['author']))
       {
-	$author_name = $user['username'];
+        $author_name = $user['username'];
       }
       else
       {
-	$author_name = $comm['author'];
+        $author_name = stripslashes($comm['author']);
       }
       $keyargs_content = array
       (
         get_l10n_args('Author: %s', $author_name),
-        get_l10n_args('Comment: %s', $comm['content']),
+        get_l10n_args('Comment: %s', stripslashes($comm['content']) ),
         get_l10n_args('', ''),
         get_l10n_args('Delete: %s', $del_url)
       );
@@ -216,10 +216,10 @@ INSERT INTO '.COMMENTS_TABLE.'
 /**
  * Tries to delete a user comment in the database
  * only admin can delete all comments
- * other users can delete their own comments 
+ * other users can delete their own comments
  * so to avoid a new sql request we add author in where clause
  *
- * @param comment_id 
+ * @param comment_id
  */
 
 function delete_user_comment($comment_id) {
@@ -245,12 +245,13 @@ $user_where_clause.'
  * users can edit their own comments if admin allow them
  * so to avoid a new sql request we add author in where clause
  *
- * @param comment_id 
+ * @param comment_id
  * @param post_key
  * @param content
  */
 
-function update_user_comment($comment, $post_key) {
+function update_user_comment($comment, $post_key)
+{
   global $conf;
 
   $comment_action = 'validate';
@@ -275,16 +276,16 @@ SELECT id FROM '.COMMENTS_TABLE.'
     AND author_id = '.$comm['author_id'];
     if ( mysql_num_rows( pwg_query( $query ) ) > 0 )
     {
-      array_push( $infos, l10n('comment_anti-flood') );
+      //?? array_push( $infos, l10n('comment_anti-flood') );
       $comment_action='reject';
     }
   }
 
   // perform more spam check
-  $comment_action = 
+  $comment_action =
     trigger_event('user_comment_check',
-		  $comment_action, 
-		  array_merge($comment, 
+		  $comment_action,
+		  array_merge($comment,
 			      array('author' => $GLOBALS['user']['username'])
 			      )
 		  );
@@ -307,12 +308,13 @@ $user_where_clause.'
     $result = pwg_query($query);
     if ($result) {
       email_admin('edit', array('author' => $GLOBALS['user']['username'],
-				'content' => $comment['content']));
+				'content' => stripslashes($comment['content'])) );
     }
   }
 }
 
-function email_admin($action, $comment) {
+function email_admin($action, $comment)
+{
   global $conf;
 
   if (!in_array($action, array('edit', 'delete'))
@@ -323,12 +325,12 @@ function email_admin($action, $comment) {
   }
 
   include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
-  
+
   $keyargs_content = array();
   $keyargs_content[] = get_l10n_args('Author: %s', $comment['author']);
-  if ($action=='delete') 
+  if ($action=='delete')
   {
-    $keyargs_content[] = get_l10n_args('This author remove comment with id %d',
+    $keyargs_content[] = get_l10n_args('This author removed the comment with id %d',
 				       $comment['comment_id']
 				       );
   }
@@ -337,8 +339,8 @@ function email_admin($action, $comment) {
     $keyargs_content[] = get_l10n_args('This author modified following comment:', '');
     $keyargs_content[] = get_l10n_args('Comment: %s', $comment['content']);
   }
-  
-  pwg_mail_notification_admins(get_l10n_args('Comment by %s', 
+
+  pwg_mail_notification_admins(get_l10n_args('Comment by %s',
 					     $comment['author']),
 			       $keyargs_content
 			       );
-- 
cgit v1.2.3