diff options
author | rvelices <rv-github@modusoptimus.com> | 2007-01-11 23:15:26 +0000 |
---|---|---|
committer | rvelices <rv-github@modusoptimus.com> | 2007-01-11 23:15:26 +0000 |
commit | a512c69225403aa0d6b926f757ffe23a3ff97b1f (patch) | |
tree | 77c5aea7a8ec482960363bf35c2d0fb411903185 /comments.php | |
parent | d0c2de854f17846d4bf937fc7ed95a5a6a4a85c1 (diff) |
plugins improvements: allow plugins to fail the installation/activation
comments.php improvements:
- no more double sql escaping on author & keyword (once in common.inc.php and
once in comments.php)
- now can search comment content on all special char ( ', ", <, >, & )
- author & keyword are correctly redisplayed in browser when they are MySql
escaped
git-svn-id: http://piwigo.org/svn/trunk@1716 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'comments.php')
-rw-r--r-- | comments.php | 94 |
1 files changed, 31 insertions, 63 deletions
diff --git a/comments.php b/comments.php index 5f043d58c..c7af65c90 100644 --- a/comments.php +++ b/comments.php @@ -2,7 +2,7 @@ // +-----------------------------------------------------------------------+ // | PhpWebGallery - a PHP based picture gallery | // | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net | -// | Copyright (C) 2003-2005 PhpWebGallery Team - http://phpwebgallery.net | +// | Copyright (C) 2003-2007 PhpWebGallery Team - http://phpwebgallery.net | // +-----------------------------------------------------------------------+ // | branch : BSF (Best So Far) // | file : $Id$ @@ -63,7 +63,7 @@ $since_options = array( 'clause' => '1=1') // stupid but generic ); -$page['since'] = isset($_GET['since']) ? $_GET['since'] : 3; +$page['since'] = isset($_GET['since']) ? $_GET['since'] : 4; // on which field sorting // @@ -91,43 +91,29 @@ if (isset($_GET['items_number'])) $page['items_number'] = $_GET['items_number']; } +$page['where_clauses'] = array(); + // which category to filter on ? -$page['cat_clause'] = '1=1'; if (isset($_GET['cat']) and 0 != $_GET['cat']) { - $page['cat_clause'] = + $page['where_clauses'][] = 'category_id IN ('.implode(',', get_subcat_ids(array($_GET['cat']))).')'; } // search a particular author -$page['author_clause'] = '1=1'; if (isset($_GET['author']) and !empty($_GET['author'])) { - if (function_exists('mysql_real_escape_string')) - { - $author = mysql_real_escape_string($_GET['author']); - } - else - { - $author = mysql_escape_string($_GET['author']); - } - - $page['author_clause'] = 'author = \''.$author.'\''; + $page['where_clauses'][] = 'com.author = \''.$_GET['author'].'\''; } // search a substring among comments content -$page['keyword_clause'] = '1=1'; if (isset($_GET['keyword']) and !empty($_GET['keyword'])) { - if (function_exists('mysql_real_escape_string')) - { - $keyword = mysql_real_escape_string($_GET['keyword']); - } - else - { - $keyword = mysql_escape_string($_GET['keyword']); - } - $page['keyword_clause'] = + // fors some odd reason comment content is htmlspecialchars in the database + $keyword = addslashes( + htmlspecialchars( stripslashes($_GET['keyword']), ENT_QUOTES) + ); + $page['where_clauses'][] = '('. implode(' AND ', array_map( @@ -141,16 +127,24 @@ if (isset($_GET['keyword']) and !empty($_GET['keyword'])) ')'; } +$page['where_clauses'][] = $since_options[$page['since']]['clause']; + // which status to filter on ? -if ( is_admin() ) +if ( !is_admin() ) { - $page['status_clause'] = '1=1'; -} -else -{ - $page['status_clause'] = 'validated="true"'; + $page['where_clauses'][] = 'validated="true"'; } +$page['where_clauses'][] = get_sql_condition_FandF + ( + array + ( + 'forbidden_categories' => 'category_id', + 'visible_categories' => 'category_id', + 'visible_images' => 'ic.image_id' + ), + '', true + ); // +-----------------------------------------------------------------------+ // | comments management | @@ -193,8 +187,8 @@ $template->assign_vars( 'L_COMMENT_TITLE' => $title, 'F_ACTION'=>PHPWG_ROOT_PATH.'comments.php', - 'F_KEYWORD'=>@htmlentities($_GET['keyword']), - 'F_AUTHOR'=>@htmlentities($_GET['author']), + 'F_KEYWORD'=>@htmlentities(stripslashes($_GET['keyword'])), + 'F_AUTHOR'=>@htmlentities(stripslashes($_GET['author'])), 'U_HOME' => make_index_url(), ) @@ -307,21 +301,8 @@ SELECT COUNT(DISTINCT(id)) FROM '.IMAGE_CATEGORY_TABLE.' AS ic INNER JOIN '.COMMENTS_TABLE.' AS com ON ic.image_id = com.image_id - WHERE '.$since_options[$page['since']]['clause'].' - AND '.$page['cat_clause'].' - AND '.$page['author_clause'].' - AND '.$page['keyword_clause'].' - AND '.$page['status_clause'].' -'.get_sql_condition_FandF - ( - array - ( - 'forbidden_categories' => 'category_id', - 'visible_categories' => 'category_id', - 'visible_images' => 'ic.image_id' - ), - 'AND' - ).' + WHERE '.implode(' + AND ', $page['where_clauses']).' ;'; list($counter) = mysql_fetch_row(pwg_query($query)); @@ -357,21 +338,8 @@ SELECT com.id AS comment_id FROM '.IMAGE_CATEGORY_TABLE.' AS ic INNER JOIN '.COMMENTS_TABLE.' AS com ON ic.image_id = com.image_id - WHERE '.$since_options[$page['since']]['clause'].' - AND '.$page['cat_clause'].' - AND '.$page['author_clause'].' - AND '.$page['keyword_clause'].' - AND '.$page['status_clause'].' -'.get_sql_condition_FandF - ( - array - ( - 'forbidden_categories' => 'category_id', - 'visible_categories' => 'category_id', - 'visible_images' => 'ic.image_id' - ), - 'AND' - ).' + WHERE '.implode(' + AND ', $page['where_clauses']).' GROUP BY comment_id ORDER BY '.$page['sort_by'].' '.$page['sort_order']; if ('all' != $page['items_number']) |