diff options
author | rvelices <rv-github@modusoptimus.com> | 2007-02-22 01:12:32 +0000 |
---|---|---|
committer | rvelices <rv-github@modusoptimus.com> | 2007-02-22 01:12:32 +0000 |
commit | cea58b64ee31c3b34887845bef6761edee3c6fc7 (patch) | |
tree | 66e631cdcad99b2189f57627fc77806fc3ca644f /include/functions_comment.inc.php | |
parent | 64108c075b87b5b4815f451909dd9d9b3a7f545a (diff) |
- user comments are not saved in the database with htmlspecialchars anymore
- web service: added the possibility to enter a user comment using the service...
- new comment functions from picture_comment.inc.php
git-svn-id: http://piwigo.org/svn/trunk@1849 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'include/functions_comment.inc.php')
-rw-r--r-- | include/functions_comment.inc.php | 228 |
1 files changed, 228 insertions, 0 deletions
diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php new file mode 100644 index 000000000..c5ff60fc7 --- /dev/null +++ b/include/functions_comment.inc.php @@ -0,0 +1,228 @@ +<?php +// +-----------------------------------------------------------------------+ +// | PhpWebGallery - a PHP based picture gallery | +// | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net | +// | Copyright (C) 2003-2007 PhpWebGallery Team - http://phpwebgallery.net | +// +-----------------------------------------------------------------------+ +// | file : $Id$ +// | last update : $Date$ +// | last modifier : $Author$ +// | revision : $Revision$ +// +-----------------------------------------------------------------------+ +// | This program is free software; you can redistribute it and/or modify | +// | it under the terms of the GNU General Public License as published by | +// | the Free Software Foundation | +// | | +// | This program is distributed in the hope that it will be useful, but | +// | WITHOUT ANY WARRANTY; without even the implied warranty of | +// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | +// | General Public License for more details. | +// | | +// | You should have received a copy of the GNU General Public License | +// | along with this program; if not, write to the Free Software | +// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, | +// | USA. | +// +-----------------------------------------------------------------------+ + +/** + * returns a "secret key" that is to be sent back when a user enters a comment + */ +function get_comment_post_key($image_id) +{ + global $conf; + $time = time(); + return $time.':'.hash_hmac('md5', $time.':'.$image_id, $conf['secret_key'] ); +} + +//returns string action to perform on a new comment: validate, moderate, reject +function user_comment_check($action, $comment) +{ + global $conf,$user; + + if ($action=='reject') + return $action; + + $my_action = $conf['comment_spam_reject'] ? 'reject':'moderate'; + + if ($action==$my_action) + return $action; + + // we do here only BASIC spam check (plugins can do more) + if ( !$user['is_the_guest'] ) + return $action; + + $link_count = preg_match_all( '/https?:\/\//', + $comment['content'], $matches); + + if ( strpos($comment['author'], 'http://')!==false ) + { + $link_count++; + } + + if ( $link_count>$conf['comment_spam_max_links'] ) + return $my_action; + + if ( isset($comment['ip']) and $conf['comment_spam_check_ip'] + and $_SERVER["SERVER_ADDR"] != $comment['ip'] + ) + { + $rev_ip = implode( '.', array_reverse( explode('.',$comment['ip']) ) ); + $lookup = $rev_ip . '.sbl-xbl.spamhaus.org.'; + $res = gethostbyname( $lookup ); + if ( $lookup != $res ) + return $my_action; + } + + return $action; +} + + +add_event_handler('user_comment_check', 'user_comment_check', + EVENT_HANDLER_PRIORITY_NEUTRAL, 2); + +/** + * Tries to insert a user comment in the database and returns one of : + * validate, moderate, reject + * @param array comm contains author, content, image_id + * @param string key secret key sent back to the browser + * @param array infos out array of messages + */ +function insert_user_comment( &$comm, $key, &$infos ) +{ + global $conf, $user; + + $comm = array_merge( $comm, + array( + 'ip' => $_SERVER['REMOTE_ADDR'], + 'agent' => $_SERVER['HTTP_USER_AGENT'] + ) + ); + + $infos = array(); + if (!$conf['comments_validation'] or is_admin()) + { + $comment_action='validate'; //one of validate, moderate, reject + } + else + { + $comment_action='moderate'; //one of validate, moderate, reject + } + + if ( $user['is_the_guest'] ) + { + if ( empty($comm['author']) ) + { + $comm['author'] = 'guest'; + } + // if a guest try to use the name of an already existing user, he must be + // rejected + if ( $comm['author'] != 'guest' ) + { + $query = ' +SELECT COUNT(*) AS user_exists + FROM '.USERS_TABLE.' + WHERE '.$conf['user_fields']['username']." = '".addslashes($comm['author'])."'"; + $row = mysql_fetch_assoc( pwg_query( $query ) ); + if ( $row['user_exists'] == 1 ) + { + array_push($infos, l10n('comment_user_exists') ); + $comment_action='reject'; + } + } + } + else + { + $comm['author'] = $user['username']; + } + if ( empty($comm['content']) ) + { // empty comment content + $comment_action='reject'; + } + + $key = explode( ':', @$key ); + if ( count($key)!=2 + or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago + or $key[0]<time()-3600 // 60 minutes expiration + or hash_hmac( + 'md5', $key[0].':'.$comm['image_id'], $conf['secret_key'] + ) != $key[1] + ) + { + $comment_action='reject'; + } + + if ($comment_action!='reject' and $conf['anti-flood_time']>0 ) + { // anti-flood system + $reference_date = time() - $conf['anti-flood_time']; + $query = ' +SELECT id FROM '.COMMENTS_TABLE.' + WHERE date > FROM_UNIXTIME('.$reference_date.') + AND author = "'.addslashes($comm['author']).'"'; + if ( mysql_num_rows( pwg_query( $query ) ) > 0 ) + { + array_push( $infos, l10n('comment_anti-flood') ); + $comment_action='reject'; + } + } + + // perform more spam check + $comment_action = trigger_event('user_comment_check', + $comment_action, $comm + ); + + if ( $comment_action!='reject' ) + { + $query = ' +INSERT INTO '.COMMENTS_TABLE.' + (author, content, date, validated, validation_date, image_id) + VALUES ( + "'.addslashes($comm['author']).'", + "'.addslashes($comm['content']).'", + NOW(), + "'.($comment_action=='validate' ? 'true':'false').'", + '.($comment_action=='validate' ? 'NOW()':'NULL').', + '.$comm['image_id'].' + ) +'; + + pwg_query($query); + + $comm['id'] = mysql_insert_id(); + + if ( ($comment_action=='validate' and $conf['email_admin_on_comment']) + or $conf['email_admin_on_comment_validation'] ) + { + include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php'); + + $del_url = get_absolute_root_url().'comments.php?delete='.$comm['id']; + + $content = + 'Author: '.$comm['author']."\n" + .'Comment: '.$comm['content']."\n" + .'IP: '.$comm['ip']."\n" + .'Browser: '.$comm['agent']."\n\n" + .'Delete: '.$del_url."\n"; + + if ($comment_action!='validate') + { + $content .= + 'Validate: '.get_absolute_root_url() + .'comments.php?validate='.$comm['id']; + } + + pwg_mail + ( + format_email('administrators', get_webmaster_mail_address()), + array + ( + 'subject' => 'PWG comment by '.$comm['author'], + 'content' => $content, + 'Bcc' => get_administrators_email() + ) + ); + } + } + return $comment_action; +} + +?>
\ No newline at end of file |